Encryption of programs represented as polynomial mappings and their computations

ABSTRACT

Three variations of a method of representing (abstract) state machines as polynomial mappings, and three variations of a corresponding encryption program stored on a computer readable medium. The encryption program is based directly on symbolic functional composition of polynomial mappings with permutations expressed as polynomial mappings.

DISCUSSION OF THE BACKGROUND

1. Field of Invention

The present invention relates to a secure encryption method, and moreparticularly to a method for converting a class of abstract computationmachines (state machines) to a polynomial representation.

2. Background of the Invention

Previous work on encrypted functions is described in T. Sander and C.Tschudin, “Protecting Mobile Agents Against Malicious Hosts,” SpringerLNCS 1419, pp. 44-60 (hereinafter “Sander”) (the contents of which areincorporated herein by reference), which describes a system forevaluating a single encrypted polynomial. Sander describes encryptingpolynomials by selecting an appropriate algorithm for encryption of thepolynomial's coefficients on an individual basis.

Additional research was performed on privacy homomorphisms. A simplisticdescription of a privacy homomorphism is an encryption function, e, suchthate(x+y)=e(x)+e(y), e(xy)=e(x)e(y), etc.Such privacy homomorphisms are discussed in R. Rivest, L. Adleman, andM. Dertouzos, “On Data Banks and Privacy Homomorphisms,” in “Foundationsof Secure Computation,” editor R. DeMillo, Academic Press, 1978, ISBN0-12-210350-5 (hereinafter “Rivest”), the contents of which areincorporated herein by reference.

Multi-party computations are also known. Common for many of theseprotocols is that they solve the problem where m people wish to evaluatea function f(x₁, . . . ,x_(m)), where each person P_(i) knows onlyx_(i), such that:

-   -   1. no information or a minimum of information about any x_(j)        for j≠i is leaked to P_(i) during the evaluation of the function        f    -   2. the identity of all cheaters is known by the time the        evaluation is completed    -   3. the value of f(x₁, . . . ,x_(m)) becomes known to all        participants simultaneously (or almost simultaneously) upon        termination of the protocol.        One of the first protocols for secure multiparty computations        was proposed in A. Yao, “Protocols for Secure Computations        (extended abstract)”, 23^(rd) Annual Symposium on Foundations of        Computer Science, 1982, IEEE Computer Society's Technical        Committee on Mathematical Foundations of Computing (hereinafter        “Yao”), the contents of which are incorporated herein by        reference. Yao describes the case where m people want to compute        f(x₁, . . . ,x_(m)) under the following conditions:    -   1. each person P_(i) initially knows only x_(i), and does not        the value of any x_(j) for j≠i    -   2. f must be computed such that after the computation, person        P_(i) still knows the exact value of only x_(i), and does not        the value of any x_(j) for j≠i.        Yao describes computing functions of the form f: X₁× . . .        ×X_(m)→V.

Another approach is described in G. Brassard and C. Crepeau,“Zero-Knowledge Simulation of Boolean Circuits,” Advances inCryptology—CRYPTO'86: Proceedings, Lecture Notes in Computer Science,Vol. 263, pp. 223-233, Springer-Verlag, 1986 (hereinafter “Brassard”),the contents of which are incorporated herein by reference. Brassarddescribes a method of simulating boolean circuits using zero-knowledgeinteractive protocols. For example, person B computes a function f:D→{0,1} in several rounds with the aid of person A. Person A providesdata about the evaluation to person B using a zero-knowledge interactiveprotocol. Person B cannot compute the encrypted evaluation fromencrypted data supplied by person A.

Chaum, Damg{dot over (a)}rd, and van de Graaf, “Multiparty ComputationsEnsuring Privacy of Each Party's Input and Correctness of the Result,”Advances in Cryptology—CRYPTO'87: Proceedings, editor C. Pomerance,Lecture Notes in Computer Science, Vol. 293, pp. 87-119,Springer-Verlag, 1987 (hereinafter “Chaum”) (the contents of which areincorporated herein by reference) describes an alternative to Yao'sprotocols. That alternative requires less computation, but assumesquadratic residues.

Abadi, Feigenbaum, and Kilian, “On Hiding Information from an Oracle,”Journal Computer System Science, Vol. 39 (1989), 21-50 (hereinafter“Abadi_(—)1”) (the contents of which are incorporated herein byreference) discusses computing with encrypted data. The abstractdescribes that: Player A wishes to know the value f(x) for some x butlacks the power to compute it. Player B has the power to compute f andis willing to send f(y) to A if she sends him y, for any y. A encryptsx, sends y=E(x) to B, who then computes f(y), returns this result to A,who then infers f(x) from f(y). M. Abadi and J. Feigenbaum, “SecureCircuit Evaluation,” Journal of Cryptology, No. 2, pp. 1-12, 1990(hereinafter “Abadi_(—)2”) (the contents of which are incorporatedherein by reference) describes a related problem. A protocol is used toevaluate a function f(x) by two parties, where one knows how to computef but does not know x, and the other party knows x, but not how tocompute f. The f in question would be expressed as a boolean circuit.This is in fact again the privacy homomorpism problem.

Additional work has been performed recently by M. Naor and B. Pinkas,“Oblivious Transfer and Polynomial Evaluation”, STOC'99, pp. 245-254,and C. Cachin, J. Camenisch, J. Kilian, and J. Mueller, “One-RoundSecure Computation and Secure Autonomous Mobile Agents”, ICALP 2000, pp.512-523, and D. Beaver, “Minimal-Latency Secure Function Evaluation”,EUROCRYPT 2000, pp. 335-350 (the contents of each of those references isincorporated herein by reference).

Encryption systems are discussed in patents such as: U.S. Pat. No.4,120,030, U.S. Pat. No. 4,168,396, U.S. Pat. No. 4,278,837, U.S. Pat.No. 4,306,389, U.S. Pat. No. 4,319,079, U.S. Pat. No. 4,433,207, U.S.Pat. No. 4,465,901, U.S. Pat. No. 4,633,388, U.S. Pat. No. 4,764,959,U.S. Pat. No. 4,847,902, U.S. Pat. No. 4,937,861, U.S. Pat. No.5,007,082, U.S. Pat. No. 5,033,084, U.S. Pat. No. 5,153,921, U.S. Pat.No. 5,341,429, U.S. Pat. No. 5,392,351, U.S. Pat. No. 5,544,244, U.S.Pat. No. 5,592,549, U.S. Pat. No. 5,892,899, U.S. Pat. No. 6,052,870,and U.S. Pat. No. 6,049,609.

As additional background, a brief discussion of representing programs aspolynomials is provided herein. The polynomial representation of aprogram is generated in two steps. First, the program as represented ina programming language is transformed to an abstract computationmachine. Second, the abstract computation machine is transformed to apolynomial mapping. As would be appreciated by one of ordinary skill inthe art, the transformation of a program in a programming language is aprocess specific to the selected programming language, andtransformation methods are constructed for each programming language.

L. Blum, M. Shub, and S. Smale, “On a Theory of Computation andComplexity over the Real Numbers: NP-completeness, Recursive Functions,and Universal Machines,” Bulletin of the American Mathematical Society,vol. 21, No. 1, pp. 1-46 (hereinafter “Blum”) (the contents of which areincorporated herein by reference) describes transforming abstractcomputation machines to polynomials. In addition, it is possible torepresent the computations of most types of finite automata usingpolynomials over a finite field.

SUMMARY OF THE INVENTION

The present invention addresses computation when secrets are kept in thememory of a computer, such that no secrets are represented in plaintextprior to-, during- or after the computation, unless the computationitself dictates otherwise. The invention reduces the need forcommunication between parties during computation. The invention achievesthis with a method and system for encrypting programs, as well as amethod and system for representing a class of abstract computationmachines using polynomials. The invention also achieves this with amethod and system for directly encrypting function tables.

Additionally, the invention also provides a method and system forencrypting abstract computation machines represented in part usingstate-transition tables. Accordingly, it is an object of the presentinvention to overcome deficiencies in known encryption methods andsystems.

It is a further object of the present invention to provide encrypteduniversal (Turing) computation.

It is a still further object of the present invention to provideencrypted universal interactive (Turing) computation.

It is another object of the present invention to provide a method andsystem for transforming abstract computation devices to computationdevices expressed with polynomials.

Another object of the present invention is to provide a method andsystem for renewing—re-encrypting—a partially encrypted state machine.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete appreciation of the invention and many of the attendantadvantages thereof will be readily obtained as the same becomes betterunderstood by reference to the following detailed description whenconsidered in connection with the accompanying drawings, wherein:

FIG. 1 is a schematic illustration of a computer system for providingencrypted computing according to one embodiment of the presentinvention;

FIG. 2 is a top view of a smartcard for performing encryptedcomputation;

FIG. 3 is a block diagram of a smartcard chip for the smartcard of FIG.2;

FIG. 4 is a schematic illustration of a client remotely logging into aserver computer;

FIG. 5A is an automata transition diagram illustrating inputs, outputsand transitions in an exemplary state machine that does not already havea dedicated stopping state, q_(a);

FIG. 5B is a function table corresponding to the transition diagram ofFIG. 5A;

FIG. 5C is a transition diagram illustrating inputs, outputs andtransitions in an exemplary state machine that already has an isolatednode that can be used as a dedicated stopping state, q_(a);

FIG. 5D is a function table corresponding to the transition diagram ofFIG. 5C;

FIG. 6A is a transition diagram corresponding to the addition of inputsand outputs supporting the addition of the dedicated state q_(a) to thediagram of FIG. 5A;

FIG. 6B is a corresponding function table supporting the augmentedautomata of FIG. 6A;

FIG. 6C is a transition diagram corresponding to the addition of inputsand outputs supporting the designation of the dedicated state q_(a) inthe diagram of FIG. 5C;

FIG. 6D is a corresponding function table supporting the augmentedautomata of FIG. 6C;

FIGS. 7A-7C illustrate vectorization examples for N=2, 3, and at least 4for the diagram of FIG. 6C;

FIGS. 8A-8C illustrate determining prime numbers N based on a selectedvectorization of a state machine as defined in FIG. 7;

FIGS. 9A and 9B illustrate a method of adding states to Q′, adding dummyinput symbols, dummy output symbols, and completing the state machinefunction table, using the example of FIG. 5C as augmented in FIG. 7;

FIG. 10 illustrates a random assignment of entries after adding dummyinput and output symbols;

FIG. 11A illustrates an initial function table (corresponding to thevectorization of FIG. 8B) prior to adding entries corresponding to arandom duplication of states;

FIG. 11B illustrates an augmented function table in which a randomlyselected non-dedicated state was selected as a source of a copyoperation for a first row with undefined elements;

FIGS. 11C and 11D illustrate transition diagrams corresponding to thefunction tables of FIGS. 11A and 11B, respectively;

FIG. 12A illustrates an augmented function table (repeated from FIG.11B) prior to randomizing links transitions (or arcs) during a randomrow copying process;

FIG. 12B illustrates an augmented function table in which a transitionof FIG. 12A is modified after copying a row;

FIGS. 12C and 12D illustrate transition diagrams corresponding to thefunction tables of FIGS. 12A and 12B, respectively;

FIGS. 13A and 13B illustrate a function table before and after two nodesare switched;

FIGS. 14A and 14B illustrate a function table before and after two inputsymbols are switched;

FIGS. 15A and 15B illustrate a function table before and after twooutput symbols are switched;

FIG. 16A is a polynomial mapping of inputs and states to outputs;

FIG. 16B is a polynomial interpolation for various states and inputs;

FIG. 17 illustrates a method of precomputing the a_(i)(x) functions;

FIG. 18 illustrates an exemplary BSS machine to be converted to a BSS′machine according to one aspect of the present invention;

FIG. 19 illustrates a method of transforming the BSS machine of FIG. 18;

FIG. 20A illustrates a method of transforming the BSS machine of FIG. 19into a BSS′ machine;

FIG. 20B illustrates an equivalent BSS′ machine generated from scratch;

FIG. 21 illustrates a method of transforming a BSS′ machine into asingle polynomial mapping;

FIGS. 22A-22C illustrates three consecutive steps of a key generationprocess;

FIG. 23 illustrates a graph for use in computing a permutation and itsinverse via interpolation;

FIGS. 24A and 24B illustrate two arithmetic operations over a field asexemplified for Z₅;

FIGS. 25A-25C illustrate encrypting plural variables and mappingcomponents of multivariate polynomials with univariate polynomials;

FIG. 26A illustrates a partially encrypted E_(r,s)∘ h to be used as astarting point in a process of re-encrypting plural variables andmapping components of multivariate polynomials with second univariatepolynomials;

FIG. 26B illustrates a process of re-encrypting plural variables andmapping components of multivariate polynomials with second univariatepolynomials;

FIG. 26C illustrates a result of the re-encrypting process of FIG. 26B;

FIG. 27A illustrates a mapping f represented by a function table;

FIG. 27B illustrates a function table t_(f) from the function table ofFIG. 27A;

FIGS. 27C and 27D generally illustrate converting from a function tablefor f to a function table for t_(f);

FIGS. 28A-28E illustrate a process of symbolically composing mappingsrepresented as function tables to produce a combined function table;

FIGS. 29A and 29B illustrate a process of generating keys formultivariate encryption of multivariate polynomial mappings;

FIG. 30 illustrates the process of encrypting plural variables andmapping components of multivariate polynomials with multivariatepolynomials;

FIG. 31A illustrates the process of re-encrypting plural variables andmapping components of multivariate polynomials with second multivariatepolynomials;

FIG. 31B illustrates the result of the process of FIG. 31A;

FIG. 32A illustrates a process of symbolically composing mappingsrepresented as function tables to produce a combined function table;

FIG. 32B illustrates the result of the process of FIG. 32A;

FIG. 33 illustrates a process of symbolically composing mappingsrepresented as function tables to produce a combined function table;

FIG. 34 illustrates a Turing platform supporting unencrypted andpartially encrypted composition for some machine M on a host O;

FIG. 35 illustrates a method of computing with host O running a Turingplatform T supporting at least one Mealy register or BSS′ machine M;

FIG. 36A illustrates a state of a register machine including registervectors, an instruction pointer vector, and a storage pointer vector;

FIG. 36B illustrates shared data in the form of D-vectors including astorage cell {right arrow over (S)}_({right arrow over (D)}) that isindexed by {right arrow over (D)};

FIG. 36C illustrates instructions in the form of C-vectors including astorage cell {right arrow over (S)}_({right arrow over (C)}) that isindexed by {right arrow over (C)};

FIG. 36D illustrates a method of operating one the state of FIG. 36A;

FIG. 36E illustrates the result of the method of FIG. 36D;

FIGS. 37A-38C illustrate a method of symbolic composition of twomappings using function tables;

FIG. 39A illustrates a method of generating keys for parameterizedencryption of multivariate mappings;

FIG. 39B illustrates a result after one step of the process of FIG. 39A;

FIG. 40 illustrates a method of parameterized encryption of pluralvariables and mapping components of multivariate mappings withmultivariate mappings;

FIGS. 41A and 41B illustrate a method of augmenting a Mealy machine inpreparation for its use in computation;

FIGS. 42A and 42B illustrate a method of obfuscation of a Mealy machineas part of a method of augmentation,

FIGS. 43A and 43B illustrate processes of transforming state transitionand output mappings of an augmented Mealy machine to polynomial mappingswhere precomputation is and is not cost effective, respectively;

FIG. 44 illustrates a method of adapting a BSS machine for encryptedcomputation where the end result itself may be transformed into a singlemultivariate polynomial mapping;

FIG. 45 illustrates a method of specifying a BSS′ machine directly;

FIG. 46 illustrates a method of transforming a BSS′ machine into asingle multivariate polynomial mapping;

FIG. 47 illustrates a method of transforming a BSS′ machine into asingle mapping represented as a function table;

FIG. 48 illustrates a method of specifying an initial state for a BSS′machine;

FIG. 49 illustrates a method of computing with a BSS′ machinetransformed to a single multivariate mapping H(the BSS′ machine'scomputing endomorphism);

FIG. 50 illustrates a method of specifying a pattern of encryption ofmultivariate mappings with univariate mappings;

FIG. 51 illustrates a method of generating keys for univariateencryption of multivariate mappings;

FIG. 52 illustrates a method of encrypting plural variables andcomponents of multivariate mappings represented using either polynomialsor function tables with univariate functions;

FIG. 53 illustrates a method of generating re-encryption keys forre-encryption of plural variables and components of multivariatemappings, already partially encrypted using first univariate functions,with second univariate functions;

FIG. 54 illustrates a method of re-encrypting plural variables andmapping components of multivariate mappings, already partially encryptedusing first univariate functions, with second univariate functions;

FIG. 55 illustrates a method of converting from a mapping, given as afunction table, to a function given as a function table;

FIG. 56 illustrates a method of converting from a function, given as afunction table, to a mapping given as a function table;

FIG. 57 illustrates a method of symbolically composing two mappings,both represented as a function tables, to produce a function table fortheir composition, (g(f(x));

FIG. 58 illustrates a pattern of encryption of multivariate mappingswith other multivariate mappings;

FIG. 59 illustrates a method of generating keys for multivariateencryption of multivariate mappings;

FIG. 60 illustrates a method of encrypting plural groups of variablesand groups of mapping components of multivariate mappings, h, with othermultivariate mappings;

FIG. 61 illustrates a method of generating re-encryption keys forre-encrypting of a multivariate mapping, h, already partially encryptedwith a first multivariate mapping, s, with second multivariate mappings;

FIG. 62 illustrates a method of re-encrypting a multivariate mapping, h,already partially encrypted with a first multivariate mapping, s, withsecond multivariate mappings;

FIG. 63 illustrates a method of symbolically composing f and h₁, . . . ,h_(k), represented as function tables, to produce a function table forthe composition, f(h₁( ), h₂( ), . . . h_(k)( ));

FIG. 64 illustrates a method of symbolically composing f and h₁, . . .h_(k), represented as function tables, to produce a function table forthe composition, (h₁(f₁( . . . ), . . . ,f_(c) ₁ ( . . . )), . . .,h_(k)(f_(n−c) _(k) ₊₁( . . . ), . . . ,f_(n)( . . . )));

FIG. 65 illustrates a method of computing with a host O running a Turingplatform T supporting at least one of a Mealy and a BSS′ machine M;

FIG. 66 illustrates a method of initializing a register machine;

FIG. 67 illustrates a method of computing with a register machine;

FIG. 68 illustrates a method of computing with a register machine Msupported by a Turing platform T, on a host O;

FIG. 69 illustrates a method of symbolically composing f with and h₁, .. . h_(k), represented as function tables, to produce a mapping;

FIG. 70 illustrates a method of symbolically composing h₁, . . . , h_(k)with f, where all mappings are represented as function tables, producinga new composite mapping;

FIG. 71 illustrates a method of specifying a pattern of parameterizedencryption of multivariate mappings with other multivariate mappings;

FIG. 72 illustrates a method of generating keys for parameterizedmultivariate encryption of multivariate mappings;

FIG. 73 illustrates a method of encrypting a multivariate mapping h withparameterized multivariate mappings;

FIG. 74 illustrates a method of specifying an encryption pattern forparameterized encryption for a specialized application of a registermachine;

FIGS. 75A and 75B illustrate a method of key generation for parametricencryption that is specially adapted for application to a registermachine; amd

FIG. 76 illustrates a method of parameterized encryption specificallyadapted to application to a register machine.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Referring now to the drawings, wherein like reference numerals designateidentical or corresponding parts throughout the several views, FIG. 1 isa schematic illustration of a computer system for providing encryptedcomputing. A computer 100 implements the method of the presentinvention, wherein the computer housing 102 houses a motherboard 104which contains a CPU 106, memory 108 (e.g., DRAM, ROM, EPROM, EEPROM,SRAM, SDRAM, and Flash RAM), and other optional special purpose logicdevices (e.g., ASICs) or configurable logic devices (e.g., GAL andreprogrammable FPGA). The computer 100 also includes plural inputdevices, (e.g., a keyboard 122 and mouse 124), and a display card 110for controlling monitor 120. In addition, the computer system 100further includes a floppy disk drive 114; other removable media devices(e.g., compact disc 119, tape, and removable magneto-optical media (notshown)); and a hard disk 112, or other fixed, high density media drives,connected using an appropriate device bus (e.g., a SCSI bus, an EnhancedIDE bus, or a Ultra DMA bus). Also connected to the same device bus oranother device bus, the computer 100 may additionally include a compactdisc reader 18, a compact disc reader/writer unit (not shown) or acompact disc jukebox (not shown). Although compact disc 119 is shown ina CD caddy, the compact disc 119 can be inserted directly into CD-ROMdrives which do not require caddies. In addition, a printer (not shown)also provides printed listings of the results of encrypted computing.

As stated above, the system includes at least one computer readablemedium. Examples of computer readable media are compact discs 119, harddisks 112, floppy disks, tape, magneto-optical disks, PROMs (EPROM,EEPROM, Flash EPROM), DRAM, SRAM, SDRAM, etc. Stored on any one or on acombination of computer readable media, the present invention includessoftware for controlling both the hardware of the computer 100 and forenabling the computer 100 to interact with a human user. Such softwaremay include, but is not limited to, device drivers, operating systemsand user applications, such as development tools. Such computer readablemedia further includes the computer program product of the presentinvention for providing encrypted computing. The computer code devicesof the present invention can be any interpreted or executable codemechanism, including but not limited to scripts, interpreters, dynamiclink libraries, Java classes, and complete executable programs. Suchcomputer code devices may also be dynamically loaded across a network(e.g., downloaded from a Wide Area Network (e.g., the Internet)).

As described above, the computer program devices of the presentinvention can be implemented in numerous ways. In one embodiment ofthose code devices, the devices are not separate programs but rather areplug-ins to a separate program. In such an embodiment, an ApplicationProgramming Interface (API) provides a definition of how the encryptionand decryption parameters are passed between the program and the plug-inperforming the encryption. APIs and plug-ins, such as the Pretty GoodPrivacy (PGP) interface and plug-in that enables e-mail to be encryptedor decrypted within mail programs such as Eudora Mail and MicrosoftOutlook, are known. Accordingly, one of ordinary skill in the art, basedon the present specification, would be able to make and use an APIand/or interface for performing encrypted computing.

Applications of the present invention include, but are not limited to,the following:

-   -   smart cards (see FIGS. 2 and 3) and similar trusted computing        bases for high-security applications since current smart cards        are vulnerable because they still do sensitive processing        unencrypted    -   software implementations of cryptosystems on insecure platforms        (see FIG. 1)    -   third party key generation systems, where trust of the party        generating the keys is crucial to its value as a part of a        security system    -   secure remote logins and cryptographic operations (see FIG. 4).        The present invention also enables the construction of secure        mobile agents for computer systems that have no inherent        limitations on their computing ability.

The present invention provides a method and system for constructing“black-box” programs for computations. The cryptographically enhancedfunctions (e.g. polynomials or state transition tables) produced by themethod and system are applied to carry out a computation specified by astate machine. Thus, the method:

-   -   1 makes incomprehensible the nature of the program itself in its        cryptographically enhanced function representation,    -   2. ensures that workspace used by the program is encrypted        during use, and    -   3. ensures encryption of output, if desirable.

As a preliminary matter, as used herein, the phrase “partiallyencrypted” refers to a set of functions in which at least one functionis cryptographically enhanced without requiring that all functions inthe set be cryptographically enhanced. The present invention isapplicable in at least four computations. The first computation involvesat least two parties, A and B, where A wishes to execute a computationusing B's computing resources such that:

-   -   1. A supplies B with a partially encrypted abstract computing        machine, f, expressed using cryptographically enhanced        functions, and a partially encrypted initial state, wherein the        abstract computation machine is transmitted either alone or        within a conventional programming language (e.g. Java, Pascal,        C, C++, machine code), part of which executes the computations        of the partially encrypted abstract computing machine, and    -   2. B supplies any input “requested” by f, depending on which        variant of the abstract computing machine A decides to use. When        using a conventional program, B supplies input indirectly        through the program.        Such computation can be used in an electronic wallet        environment.

The second computation involves one party, A that uses A's own resourceswhere A supplies the partially encrypted abstract computing machine, thepartially encrypted initial state, and any resources the abstractcomputing machine interacts with during its computation. In all three ofthose computations, A may also choose to supply some additional datawith the abstract computing machine, that will allow parts of it tobecome re-encrypted under new encryption keys. Such encryptedcomputations can be used by users who wish to prevent “eavesdropping” onongoing computation.

The third computation involves at least two parties A and B, where Bwishes to execute a computation using A's data such that:

-   -   1. A supplies B with a conventional program, expressed in a        conventional programming language, part of which executes a        computation of a partially encrypted abstract computing machine,        f, expressed using polynomial, where a partially encrypted        initial state is given by A (either separately or along with the        program), and    -   2. A supplies B with the input “requested” by f indirectly        through the program sent to B by A, depending on the variant        abstract computing machine A decides to use, and whether or not        A decides to let its program allocate resources.        Such encrypted computations can be used to enable off-line        document release and online interactive document services.

The fourth computation involves at least two parties A and B, where Bwishes to execute a computation using A's data such that:

-   1. A supplies B with a conventional program, expressed in a    conventional programming language, part of which executes a    computation of a partially encrypted abstract computing machine, f,    expressed using polynomials or state transition tables, where a    partially encrypted initial state is given by A (either separately    or along with the program), and-   2. A supplies B with input “requested” by f indirectly through the    program sent to B by A in addition to input supplied by B, depending    on the variant abstract computing machine A decides to use, and    whether or not A decides to let its program allocate resources.    In one such example, A provides B with data content (e.g. a DVD    movie) that B plays back. The decision process as to whether or not    the DVD is to be played (e.g. based on release date) is based on an    encrypted computation.

The present invention provides a method and apparatus for using apolynomial permutation as an asymmetric secret key cryptosystem inconstructing encrypted programs. The cryptosystem is based on thesymbolic function composition operation, and the fact that decomposingcertain types of multivariate polynomials over a field is an NP-hardproblem. See M. Dickerson, “The Functional Decomposition ofPolynomials”, Ph.D. Thesis, Cornell University, 1989, the contents ofwhich are incorporated herein by reference.

The relevant problem upon which the cryptosystem of the presentinvention is based is described herein as a special non-deterministiccase of the so-called “General Decomposition Problem” for polynomials.Preliminary cryptanalysis suggests that it may offer very goodcryptographic-protection of the abstract state machine itself. The onlycurrently known (cryptographical) vulnerability is statistical analysisof input and output as the computation progresses. Only the ciphertextitself appears to be vulnerable to such analysis. The partiallyencrypted polynomial representation itself has no known vulnerabilities.

As a basis for the rest of the description provided herein, the processof representing abstract computing machines using polynomials isdescribed herein. A Mealy machine is a six-tuple M=(Q,Σ,Δ,δ,λ,q₀), whereQ is the set of states, Σ is the input alphabet, Δ is the outputalphabet, δ:Q×Σ→Q is the state transition function, λ:Q×Σ→Δ is theoutput function, and q₀ is the initial state.

A Mealy machine M is converted to a polynomial mapping by augmenting thedefinition to provide what is effectively a halting state. Thereafter, δand λ are interpolated, using their definitions to provide interpolationdata. The result is a multivariate polynomial mapping that can beiterated with input at each iteration to do the same computation as themachine M. The initial state is specified as a vector of the form({right arrow over (x)}(0),{right arrow over (y)}(0),{right arrow over(z)}(0)), where {right arrow over (x)}(0) is the actual initial state ofthe Mealy machine M, {right arrow over (y)}(0) is the initial input, and{right arrow over (z)}(0) the initial output.({tilde over (δ)}₁({right arrow over (x)}(n),{right arrow over (y)}(n),. . . ,{tilde over (δ)}_(S)({right arrow over (x)}(n),{right arrow over(y)}(n)), {tilde over (λ)}₁({right arrow over (x)}(n),{right arrow over(y)}(n)), . . . ,{tilde over (λ)}_(O)({right arrow over (x)}(n),{rightarrow over (y)}(n)),{right arrow over (y)}(n+1).  (1)The computation is executed by iterating the mapping given inequation 1. This gives the relations: $\begin{matrix}{{\overset{\rightarrow}{x}(n)} = \left\{ \begin{matrix}{{\overset{\sim}{\delta}\left( {{\overset{\rightarrow}{x}\left( {n - 1} \right)},{\overset{\rightarrow}{y}\left( {n - 1} \right)}} \right)},{{{for}\quad n} > 0}} \\{{{given}\quad{for}\quad n} = 0}\end{matrix} \right.} & (2) \\{{\overset{\rightarrow}{z}(n)} = \left\{ \begin{matrix}{{\overset{\sim}{\lambda}\left( {{\overset{\rightarrow}{x}\left( {n - 1} \right)},{\overset{\rightarrow}{y}\left( {n - 1} \right)}} \right)},{{{for}\quad n} > 0}} \\{{{given}\quad{for}\quad n} = 0}\end{matrix} \right.} & (3) \\{{{\overset{\rightarrow}{y}(n)}\quad{is}\quad{given}\quad{for}\quad n} \geq 0.} & (4)\end{matrix}$The class of automata presented in Blum requires modifications for it tobe of use in expressing automata as polynomial mappings. Themodifications are as follows:

-   -   1. Comparison nodes have their greater-than-or-equal-to-zero        relation replaced by a set membership relation, which is        actually expressible as a polynomial over a finite field        consisting of the integers modulo a prime number p.    -   2. Computation and comparison nodes may be mixed.    -   3. Output nodes are required to do computations (to avoid undue        key exposure).    -   4. There is one final node at which all halting computations        must halt.

According to the present invention, modified Blum-Shub-Smale machines(hereinafter referred to as “BSS′ machines”) operate over a finite fieldZ_(N) for a fixed prime number N. Such a machine includes (1) a statespace Z_(N) ^(S), (2) an output space Z_(N) ^(O), (3) an input spaceZ_(N) ^(I), and (4) a directed graph with p numbered nodes; where S, O,and I are positive integers. The set {overscore (S)}={0, . . .,p−1}×Z_(N) ^(S)×Z_(N) ^(O)×Z_(N) ^(I) is called the full state space ofthe Blum-Shub-Smale-like machine. The first component is the nodenumber, the next S components are the automaton's internal work space,the O components after that, the output, and lastly, the I inputcomponents. The graph of the automaton has two main types of nodevariants:

-   -   1. normal nodes, which must have at least one and at most p        outgoing edges, and may have incoming edges; and    -   2. the halting node, which can only have incoming edges, and one        out-going edge pointing to itself.        The nodes may also do one or more of the following:    -   1. compute one or more relations of the type ∈K⊂Z_(N)−{0} in        order to select one of a list of possible outgoing edges for        that node, in order to select the next node to be used in the        computation;    -   2. compute output to the output vector;    -   3. assimilate input in the input vector; and    -   4. carry out a computation with existing information from the        state vector and the input vector.

Such an automaton is transformed to a polynomial mappingH:  {0, …  , p − 1} × Z_(N)^(S) × Z_(N)^(O) × Z_(N)^(I) → {0, …  , p − 1} × Z_(N)^(S) × Z_(N)^(O) × Z_(N)^(I)called its computing endomorphism. H is of the form:$\left( {{\beta\left( {n,{\chi\left( \overset{\rightarrow}{x} \right)}} \right)},{\sum\limits_{i = 0}^{p - 1}{{a_{i}(n)}{g_{i}\left( \overset{\rightarrow}{x} \right)}}}} \right).$

Where a_(i)(n) “chooses” the correct g_(i) mapping to apply on theinternal work space and output depending on which node the computationhas reached. The next-node function β(n,{right arrow over (x)}) computesat which node the next computation step will take place. In this mannerthe automaton moves through its graph as though it were following aflow-chart.

Because the set {0, . . . ,p−1} must be a subset of Z_(N), it ispossible to denote the node number by x₁, the internal state componentsby x₂, . . . ,x_(S+1), the output components by x_(S+2), . . .,x_(S+O+1), and the input components by x_(S+O+2), . . . ,x_(S+O+I+1).The components may or may not be in this order in any given embodiment.The components are hereafter assumed to be in this order to simplifynotation. Then the computing endomorphism simply operates on {rightarrow over (x)}, and is essentially a mappingH : Z_(p)^(1 + S + O + I) → Z_(p)^(1 + S + O + I).This notation will henceforth be used, as it seems to be better withrespect to the BSS′ machines.

The use of univariate polynomials in encryption will now be discussed.Let m+n pairs (r_(i),s_(i)) of mutually inverse permutations permutingthe integers modulo N, be given such that they are expressed asunivariate polynomials. There may or may not be equal pairs(r_(i),s_(i)) of mutually inverse permutations. Some pairs may or maynot be the identity mappings (that is, they do noencryption/decryption). Let the r_(i)s denote the encryption keys, ands_(i)s the decryption keys. Encryption of a polynomial mapping(f₁(x₁, . . . ,x_(m)), . . . ,f_(n)(x₁, . . . ,x_(m)))over the integers modulo N is done by composition, resulting in theencrypted mapping:(r₁(f₁(s_(n+1)(x₁), . . . ,s_(n+m)(x_(m)))), . . .,r_(n)(f_(n)(s_(n+1)(x₁), . . . ,s_(n+m)(x_(m))))).tm (5)This mapping will effectively compute f on data partially encrypted withthe keys r_(n+1), . . . ,r_(n+m). It is then possible to decrypt theresult by applying s₁, . . . ,s_(n) to the individual components. Thesimplest option is to set all pairs (r_(i),s_(i)) to some chosen pair(r,s). It is fully possible, however, to select individual encryptionkeys for each variable and function component. Note: to limit the sizeof the polynomials, and increase computational efficiency, thecomposition method employed by the invention exploits the fact thatexponents greater than N−1 may be reduced in steps of N−1 until theexponent is less than N and greater-than-or-equal-to 0 (zero). This isdone during the computation of the symbolic composition, so that nopolynomial ever has any variable raised to a power higher than N−1.

In order to apply this encryption system to the polynomial mappingrepresenting a Mealy machine, some restrictions must be placed on theselection of key pairs (r_(i),s_(i)). Recalling the form of thepolynomial representation of a Mealy machine given in equation (1), itis clear that there are S+I variables, and S+O function components.Since the S first function components are always fed back into the Sfirst variables, it becomes necessary to require(r_(i),s_(i))=(r_(S+O+i),s_(S+O+i)) for all 1≦i≦S. It is assumed that{right arrow over (y)}(n) has I components. In order to simplifysubsequent notation, the partially encrypted version of the polynomialrepresentation of an abstract state machine is written (E_(r,s)∘H),where H is the plaintext representation of the state machine. The symbol∘ usually denotes functional composition, such that (f∘g)(x)=f(g(x)).The resulting general expression for this encryption system applied to His then:(E _(r,s) ∘H)({right arrow over (x)}(n+1), {right arrow over(z)}(n+1))=r ₁(δ₁(s ₁(x ₁(n)), . . . , s _(S)(x _(S)(n)),s _(2S+O+1)(y₁(n)), . . . ,s _(2S+O+I)(y _(I)(n))), . . . , r _(S)(δ_(S)(s ₁(x ₁(n)),. . . , s _(S)(x _(S)(n)),s _(2S+O+1)(y ₁(n)), . . . ,s _(2S+O+I)(y_(I)(n))), . . . , r _(S+1)(λ₁(s ₁(x ₁(n)), . . . , s _(S)(x _(S)(n)),s_(2S+O+1)(y ₁(n)), . . . ,s _(2S+O+I)(y _(I)(n))), . . . , r _(S+O)(λ₁(s₁(x ₁(n)), . . . ,s _(S)(x _(S)(n)),s _(2S+O+1)(y ₁(n)), . . . ,s_(2S+O+I)(y _(I)(n))))  (6)

Although this encryption system protects the computation of the statemachine from the platform it runs on, that does not preclude thepossibility of the partially encrypted state machine sharing one or moreencryption/decryption key pairs with the platform. This is why also theinput components in equation (6) are displayed as (partially) encrypted.

For a BSS′ machine there will effectively be 1+S+O mappings, and 1+S+O+Ivariables. Only 1+S+I variables are used in the mappings. Also, similarto the partial encryption of the polynomial representation of a Mealymachine, the choice of mappings is restricted by the fact that outputfrom the first 1+S mapping components is fed into the first 1+Svariables for the state space at the next computation step. Thus,(r_(1+S+O+i),s_(1+S+O+i))=(r_(i),s_(i)) for 1≦i≦S+1. Thus, the resultingexpression for the encrypted machine is of the form:{right arrow over (x)}(n+1)=(E _(r,s) ∘H)({right arrow over (x)}(n))=r₁(H ₁(s ₁(x ₁(n)), . . . ,s _(1+S)(x _(1+S)(n)), s _(1+S+O+S+O+2)(x_(S+O+2)(n)), . . . ,s _(1+S+O+S+O+I+1)(x _(S+O+I+1)(n)), . . . , r_(1+S+O)(H _(1+S+O)(s ₁(x ₁(n)), . . . ,s _(1+S)(x _(1+S)(n)), s_(1+S+O+S+O+2)(x _(S+O+2)(n)), . . . ,s _(1+S+O+S+O+I+1)(x_(S+O+I+1)(n))))  (7)

Note, in one embodiment of the present invention, at least one outputcomponent is chosen to be unencrypted. In that embodiment, theencryption function r_(i) is the identity mapping x, and is not appliedto the component. Similarly, variables that do not need decrypting usethe identity mapping x as decryption function s_(j).

The encryption system of the present invention is strengthened by thefact that it effectively includes a special type of non-linear equationsystem with an integer solution, half of whose variables remainundetermined by any equation. Moreover, the present invention protectsthe process of composing polynomials to produce a cryptosystem.

It is possible to re-encrypt a mapping E_(r,s)∘f partially encryptedwith univariate polynomials, such that:

-   -   1. None of the old encryption keys are revealed;    -   2. None of the new encryption keys are revealed;    -   3. The plaintext mapping f is not revealed; and    -   4. None of the encryption keys protecting the new encryption        keys are revealed.

Let f be a mapping with n functional components expressed as polynomialsin m variables. Assume f is partially encrypted using the key pairs(r₁,s₁), . . . , (r_(n+m),s_(n+m)) such that E_(r,s)∘f may be written inthe form given in equation (5).

Re-encryption is achieved by:

-   -   1. selecting a new set of key pairs (r₁ ^(/),s₁ ^(/)), . . . ,        (r_(n+m) ^(/),s_(n+m) ^(/));    -   2. for every 1≦i≦n+m, symbolically composing r_(i) ^(/) with        s_(i) to generate r_(i) ^(/)(s_(i)(x));    -   3. for every 1≦i≦n+m is n+m, symbolically composing r_(i) with        s_(i) ^(/) to generate r_(i)(s_(i) ^(/)(x));    -   4. for every variable x_(i), n<i≦n+m, symbolically substituting        x_(i) with r_(i)(s_(i) ^(/)(x)); and    -   5. for every function component f_(i), 1≦i≦n, symbolically        composing r_(i) ^(/)(s_(i)(x)) with r_(i)(f_(i)( . . . )).        The re-encryption of a function components is possible based on        the following equation:        (r _(i) ^(/)∘s_(i))∘r _(i)(f _(i)(s _(n+1)(r _(n+1)(s _(n+1)        ^(/)(x ₁))), . . . ,s _(n+m)(r _(n+m)(s _(n+m) ^(/)(x        _(m))))))=r _(i) ^(/)(s _(i)(r _(i)(f _(i)(s _(n+1)(r _(n+1)(s        _(n+1) ^(/)(x ₁))), . . . ,s _(n+m)(r _(n+m)(s _(n+m)        ^(/)(x_(m))))))))=r _(i) ^(/)(f _(i)(s _(n+1) ^(/)(x ₁), . . .        ,s _(n+m) ^(/)(x _(m))))  (8)        so the result is f partially encrypted with the keys (r₁ ^(/),s₁        ^(/)), . . . , (r_(n+m) ^(/),s_(n+m) ^(/)). Since all        (r_(i),s_(i)) and (r_(i) ^(/),s_(i) ^(/)) are initially secrets,        the compositions r_(i) ^(/)∘s_(i) and r_(i)∘s_(i) ^(/) are        effectively encrypted data for purposes of cryptanalysis.

Encryption using multivariate polynomials is similar to encryption withunivariate polynomials, except that tuples or blocks of variables may beencrypted and/or decrypted simultaneously. In the most general case, letf be a mapping with n components that is applied to m variables. Selectk triples. (c_(i),r_(i),s_(i)) satisfying:

-   -   1. Every c_(i) is a positive integer;    -   2. There is an l<k such that $\sum\limits_{i = 1}^{l}c_{i}$    -    equals the number of components, n, in the mapping to be        partially encrypted, and $\sum\limits_{i = {l + 1}}^{k}c_{i}$    -    equals the number of variables, m, used by the mapping;    -   3. Every r_(i) is a permutation of c_(i)-tuples of variables,        and s_(i) is its inverse, thus _(i),s_(i):Z_(p) ^(c) ^(i) →Z_(p)        ^(c); and    -   4. Every r_(i) and s_(i) is expressed as a polynomial mapping,        such that if c_(i)>1, then r_(i) and s_(i) are multivariate        polynomial mappings with functional (polynomial) components        (r_(i,1), . . . ,r_(i,c) _(i) ) and (s_(i,1), . . . ,s_(i,c)        _(i) ), respectively.        The r_(i)s denote encryption keys. The s_(i)s denote decryption        keys. There may or may not be equal triples. Some permutations        r_(i) and s_(i) may be selected to be the identity mapping (thus        encryption and/or decryption are not performed).

Illustratively, the n functional components and m variables areassembled in one “tuple” f₁, . . . ,f_(n),x₁, . . . ,x_(m). This is thenpartitioned into blocks as shown in the equation below:f₁, . . . ,f_(c) ₁ , . . . , f_(n−c) _(i) ₊₁, . . . , f_(n), x₁, . . . ,x_(c) _(i+1) , . . . , x_(m−c) _(k) ₊₁, . . . , x_(m),where f₁, . . . f_(n) is${\sum\limits_{i = 1}^{l}c_{i}} = {n\quad{components}}$components and x₁, . . . ,x_(m) is${\sum\limits_{i = {1 + 1}}^{k}c_{i}} = {m\quad{{variables}.}}$variables.To achieve partial encryption, the keys are then applied to blocks asshown in the equation below:r ₁ ={f ₁ , . . . , f _(c) ₁ } r _(l) ={f _(n+c) _(l) ₊₁ , . . . , f_(n) } s _(l+1) ={x ₁ , . . . , x _(c) _(i+1) } s _(k) ={x _(m−c) _(k)₊₁ , . . . , x _(m)}.This general case can be reduced to the univariate case by settingc_(i)=1 for all 1≦i≦m+n. The partial encryption off({right arrow over (x)})=(f ₁(x ₁ , . . . ,x _(m)), . . . ,f _(n)(x ₁ ,. . . ,x _(m)))over the integers modulo N is done by functional composition, resultingin the encrypted mapping:(r₁(f₁(s_(l+1)(x₁, . . . ,x_(c) _(l+1) , . . . ,s_(k)(x_(m−c) _(k) ₊₁, .. . ,x_(m))), . . . , f_(c) ₁ (s_(l+1)(x₁, . . . , x_(c) _(l) ), . . .,s_(k)(x_(m−c) _(k) ₁, . . . ,x_(m)))), . . . , r₁(f_(n−c) _(l)₊₁(s_(l+1)(x₁, . . . ,x_(c) _(l+1) ), . . . ,s_(k)(x_(m−c) _(k) ₊₁, . .. ,x_(m))), . . . , f_(n)(s_(l+1)(x₁, . . . ,x_(c) ₁ ), . . .,s_(k)(x_(m−c) _(k) ₊₁, . . . ,x_(m)))))  (9)

Note that every r_(i) produces a tuple with c_(i) components, so in all,the partially encrypted mapping should have as many polynomialcomponents as does f. To simplify the above notation, denote the tuplex₁, . . . ,x_(c) _(l+1) by {right arrow over (w)}₁, the tuple x_(c)_(l+i) ₊₁, . . . ,x_(c) _(l+1) _(+c) _(l+2) by {right arrow over (w)}₂,and so on up to x_(m−c) _(k) ₊₁, . . . ,x_(m) by {right arrow over(w)}_(k−l). Denote the function component tuple f₁, . . . ,f_(c) ₁ byv₁, the tuple f_(c) _(l) ₊₁, . . . .,f_(c) _(l) _(+c) ₂ by v₂, and so onup to f_(n−c) _(l) ₊₁, . . . ,f_(n) by v_(l). This notation isillustrated in the equation below:f₁, . . . , f_(c) _(l) , . . . , f_(n−c) _(l) ₁, . . . , f_(n),x₁, . . ., x_(c) _(l+1) , . . . , x_(m−c) _(k) ₊₁, . . . , x_(m).Using this notation, equation (9) may be rewritten as:(r₁(v₁(s_(l+1)({right arrow over (w)}₁), . . . , s_(k)({right arrow over(w)}_(k−l)))), . . . , r_(l)(v_(l)(s_(l+1)({right arrow over (w)}₁), . .. , s_(k)({right arrow over (w)}_(k−l))))).  (10)

When a polynomial representation, H, of a Mealy machine is to beencrypted using multivariate polynomials, there are some constraints onthe selection of encryption keys. As in the univariate case, there are Sfunction components of H, which are fed back into variables, and Ofunction components which are not. This will only work as intended if(c_(i),r_(i),s_(i))=(c_(l+i),r_(l+i),s_(l+i)) for all 1≦i≦{overscore(1)}, where {overscore (1)} is such that${\sum\limits_{j = 1}^{\overset{\_}{1}}c_{j}} \geq {S.}$In the following set$D = {\sum\limits_{j = 1}^{\overset{\_}{1}}{c_{j}.}}$In any case, D may not exceed the number of variables, so in the casewhere there are more function components than variables, there may befunction components free of such restrictions when deciding upon triplesfor encryption. Thus, the first {overscore (1)} partially encryptedblocks of H's components must use the same key pairs as the first{overscore (1)} partially decrypted blocks of H's variables. Recall thatH's variables are written {right arrow over (x)}(n), {right arrow over(y)}(n), and that {right arrow over (x)} is the state of the Mealymachine. Therefore the first {overscore (1)} vectors/blocks {right arrowover (w)}_(i)(n) will represent {right arrow over (x)}(n) and possibly alittle of {right arrow over (y)}(n), and the remaining vectors/blockswill represent the rest of {right arrow over (y)}(n)—the input to theMealy machine. The partially encrypted version of H, written E_(r,s)∘H,may for the case D=S be written as:{right arrow over (x)}(n+1),{right arrow over (z)}(n+1))=(E _(r,s)∘H)({right arrow over (x)}(n),{right arrow over (y)}(n))=(r ₁({tildeover (δ)}₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s_(k)({right arrow over(w)}_(k−l)(n))), . . . , δ_(c) ₁ (s ₁({right arrow over (w)} ₁(n)), . .. ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over(w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n)))), . . . , (r _({overscore (i)})({tilde over (δ)}_(D−c)_({overscore (i)}) ₊₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n))), . . . , {tilde over (δ)}_(D)(s ₁({right arrow over (w)}₁(n)), . . . ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({rightarrow over (w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrowover (w)} _(k−l)(n))), r _({overscore (i)}+1)({tilde over (λ)}₁(s₁({right arrow over (w)} ₁(n)), . . . ,s _({overscore (i)})(n)),s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),. . . ,s _(k)({right arrow over (w)} _(k−l)(n))), . . . , {tilde over(λ)}_(c) _({overscore (i)}+1) (s ₁({right arrow over (w)} ₁(n)), . . .,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over(w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n)))), . . . , r _({overscore (l)})({tilde over (λ)}_(0−c) _(i)₊₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s _({overscore (i)})(n)),s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),. . . ,s _(k)({right arrow over (w)} _(k−l)(n))), . . . , {tilde over(λ)}_(O)(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n))))  (11)For the case D>S, the partially encrypted version of H, E_(r,s)∘H isdefined as:E_(r,s)({right arrow over (x)}(n+1),{right arrow over (z)}(n+1))=(E_(r,s) ∘H)({right arrow over (x)}(n),{right arrow over (y)}(n))=(r₁({tilde over (δ)}₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s_(k)({right arrow over(w)}_(k−l)(n))), . . . , δ_(c) ₁ (s ₁({right arrow over (w)} ₁(n)), . .. ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over(w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n)))), . . . , (r _({overscore (i)})({tilde over (δ)}_(D−c)_({overscore (i)}) ₊₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n))), . . . , {tilde over (δ)}_(S)(s ₁({right arrow over (w)}₁(n)), . . . ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({rightarrow over (w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrowover (w)} _(k−l)(n))), r _({overscore (i)}+1)({tilde over (λ)}₁(s₁({right arrow over (w)} ₁(n)), . . . ,s _({overscore (i)})(n)),s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),. . . ,s _(k)({right arrow over (w)} _(k−l)(n))), . . . , {tilde over(δ)}_(D−S)(s ₁({right arrow over (w)} ₁(n)), . . . ,s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),s_(k)({right arrow over (w)} _(k−l)(n)), . . . , r _(l)({tilde over(λ)}_(0−c) _(i) ₊₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n))), . . . , {tilde over (δ)}_(O)(s ₁({right arrow over (w)}₁(n)), . . . ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({rightarrow over (w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrowover (w)} _(k−l)(n))))  (12)The mapping E_(r,s)∘H effectively consists of polynomials q_(i):Z_(p)^(S+1)→Z_(p).

For the BSS′ machines, the resulting expression resembles the aboveexpressions, but is slightly simpler. There is one variable vector{right arrow over (x)}(n) with 1+S+O+I components. H has 1+S+Ocomponents. As with the Mealy machine, the triples (c_(i),r_(i),s_(i))must equal (c_(l+i),r_(l+i),s_(l+i)) for 1≦i≦{overscore (1)}, where is{overscore (1)} is such that${{\sum\limits_{j = 1}^{\overset{\_}{1}}c_{j}} \geq {1 + {S\quad{and}\quad{\sum\limits_{j = 1}^{\overset{\_}{1} - 1}c_{j}}}} \leq {1 + {{S.\quad{Set}}\quad D}}} = {\sum\limits_{j = 1}^{\overset{\_}{1}}{c_{j}.}}$In any case, D may not exceed the number of variables, so in the casewhere there are more function components than variables, there may befunction components free of such restrictions when deciding upon triplesfor encryption. The partially encrypted state and output data after napplications of H is defined as {right arrow over (w)}({right arrow over (w)}₁(n), . . . , {right arrow over (w)}_(k−l)(n)).

The partially encrypted version of H for a BSS′ machine is defined as:{right arrow over (x)}(n+1)=(E _(r,s) ∘H)({right arrow over (x)}(n))=(r₁(H ₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s_(k)({right arrow over(w)}_(k−l)(n))), . . . , H _(c) ₁ (s ₁({right arrow over (w)} ₁(n)), . .. ,s _({overscore (i)})({right arrow over (w)} _({overscore (i)})(n)),s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),. . . ,s _(k)({right arrow over (w)} _(k−l)(n))), r _(l)(H _(1+S+O−c)_(l+1) (s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})({right arrow over (w)} _({overscore (i)})(n)),s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),. . . ,s _(k)({right arrow over (w)} _(k−l)(n))), . . . , H _(1+S+O)(s₁({right arrow over (w)} ₁(n)), . . . ,s _({overscore (i)})({right arrowover (w)}_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrowover (w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n)))))  (13)

This cryptosystem appears to be based on an NP-hard problem—that ofdecomposing the encrypted polynomial mapping to obtain the obscuredpolynomials doing the actual computation. Also, as in the univariatecase, solution of the problem requires solving a system of non-linearinteger equations, where there are half as many equations as there arevariables.

It is possible to re-encrypt a mapping E_(r,s)∘f partially encryptedwith multivariate polynomials, such that:

-   -   1. None of the old encryption keys are revealed;    -   2. None of the new encryption keys are revealed;    -   3. The plaintext mapping f is not revealed; and    -   4. None of the encryption keys protecting the new encryption        keys are revealed.        Let f be a mapping with n functional components expressed as        polynomials in m variables. Assume f is partially encrypted        using the key triples (c₁,r₁,s₁), . . . ,(c_(k),r_(k),s_(k)) as        described above such that E_(r,s)∘f may be written in the form        given in equation (9). Re-encryption is achieved by:    -   1. selecting a new set of key triples (c₁,r₁ ^(/),s₁ ^(/)), . .        . ,(c_(k),r_(k) ^(/),s_(k) ^(/)), such that block sizes are        preserved;    -   2. for every 1≦i≦k symbolically composing r_(i) ^(/) with s_(i)        to generate r_(i) ^(/)(s_(i)(v));    -   3. for every 1≦i≦k symbolically composing r_(i) with s_(i) ^(/)        to generate r_(i)(s_(i) ^(/)({right arrow over (w)}_(i−l)));    -   4. for every block of variables {right arrow over (w)}_(i−l),        l<i≦k, symbolically substituting {right arrow over (w)}_(i−l)        with r_(i)(s_(i) ^(/)({right arrow over (w)}_(i−l))); and    -   5. for every block of function components v_(i), 1≦i≦l,        symbolically composing r_(i) ^(/)(s_(i)( . . . )) with        r_(i)(f_(i)( . . . )).        The re-encryption of a function component f_(i) described herein        according to the following equation: $\begin{matrix}        {{\left( {r_{i}^{\prime}{^\circ}\quad s_{i}} \right){^\circ}\quad{r_{i}\left( {f_{i}\left( {{s_{l + 1}\left( {r_{l + 1}\left( {s_{l + 1}^{\prime}\left( {\overset{\rightarrow}{w}}_{1} \right)} \right)} \right)},\ldots\quad,{s_{k}\left( {r_{k}\left( {s_{k}^{\prime}\left( {\overset{\rightarrow}{w}}_{k - l} \right)} \right)} \right)}} \right)} \right)}} = {\left( {r_{i}^{\prime}{s_{i}\left( {r_{i}\left( {f_{i}\left( {{s_{l + 1}\left( {r_{l + 1}\left( {s_{l + 1}^{\prime}\left( {\overset{\rightarrow}{w}}_{1} \right)} \right)} \right)},\ldots\quad,{s_{k}\left( {r_{k}\left( {s_{k}^{\prime}\left( w_{k - l} \right)} \right)} \right)}} \right)} \right)} \right)}} \right) = {r_{i}^{\prime}\left( {f_{i}\left( {{s_{l + 1}^{\prime}\left( {\overset{\rightarrow}{w}}_{1} \right)},\ldots\quad,{s_{k}^{\prime}\left( {\overset{\rightarrow}{w}}_{k - l} \right)}} \right)} \right)}}} & (14)        \end{matrix}$        so the result is f partially encrypted with the keys (c₁,r₁        ^(/),s₁ ^(/)), . . . ,(c_(k),r_(k) ^(/),s_(k) ^(/)). Note that        for the multivariate case, proper re-encryption is possible only        if the new key triples partition f and its variables into the        same blocks as the original key triples did. Since all        (c_(i),r_(i),s_(i)) and (c_(i),r_(i) ^(/),s_(i) ^(/)) are        initially secrets, the compositions r_(i) ^(/)∘s_(i) and        r_(i)∘s_(i) ^(/) are effectively encrypted data for purposes of        cryptanalysis. It is important to note that equation (14)        includes three instances of the use of the identity operator. In        applying s_(i)(r_(i)( . . . )), the operators s and r cancel and        could, therefore, be replaced by the identity operator.

In order for the polynomial representation of Mealy machines, and theBSS′ machines to be of significant usefulness, proper host support isrequired. Such support is called a Turing platform. This support isrequired for the subsequently described register machine.

Call the host O. A Turing platform T includes:

-   -   a very simple, slightly modified Turing machine with unbounded,        linearly addressed storage, each storage unit being called a        cell; and with a so-called finite control with position in the        storage;    -   an output register writeable by the finite control, which holds        one storage unit;    -   an input register readable by the finite control, which holds        one storage unit, and one of three possible movement directions        (left, stand still, right);    -   an output register writeable by O, which is part of the input of        the supported state machine; and    -   an input register readable by O, which is part of the output of        the supported state machine.

A complete computation step for a Mealy machine or a BSS′ machine Msupported by a Turing platform proceeds according the diagram of FIG. 35in which the numbered steps correspond to:

-   -   1. T reads the cell at which its finite control is placed,    -   2. T writes the cell to the input of M,    -   3. writes to the input of M,    -   4. M computes the next state,    -   5. M computes output and writes it to the input of T,    -   6. M computes output and writes it to the input of O,    -   7. M computes the direction of movement, and writes it to T,    -   8. Treads from its input register,    -   9. T writes the input to the cell,    -   10. T moves left, right, or stands still, if possible.

Use of a Turing platform to support the computations of Mealy and BSS′machines allows them to do completely general computations, ifnecessary, effectively making them equivalent to Turing machines incomputational power.

The basic structure of the method and apparatus of the present inventionimplements:

-   1. preprocessing of a Mealy machines' mappings in preparation for    either transformation to polynomial mappings or direct encryption,-   2. transformation of Mealy machines' mappings to polynomial    mappings,-   3. a BSS′ machine,-   4. transformation of the mappings of BSS′ machines to polynomial    mappings,-   5. symbolic composition of mappings (including polynomial mappings)    using their function tables,-   6. encryption of Mealy machines with finite controls, expressed as    function tables, using composition of function tables,-   7. encryption and decryption of polynomial mappings and data using    univariate polynomials,-   8. re-encryption of mappings partially encrypted with univariate    polynomial mappings,-   9. encryption and decryption of polynomial mappings and data using    multivariate polynomials,-   10. re-encryption of mappings partially encrypted with multivariate    polynomial mappings,-   11. a specialization of encryption and decryption of polynomial    mappings with multivariate polynomials using two-variable    polynomials,-   12. a device for supporting polynomial-based computation,-   13. a register machine well adapted to encryption by the    cryptosystems presented herein, and-   14. a system for parametrized multivariate encryption presented,    will now be described in detail.

Using a modified notation as compared to above, a Mealy machine is asix-tuple M=(Q,Σ,Δ,δ,λ,q₀), where Q is the set of states, Σ the inputalphabet, Δ the output alphabet, δ:D→Q the state transition function,λ:D→Δ the output function, and q₀ the initial state. The domain D of δand λ is a possibly trivial subset of Q×Σ.

Prior to transformation, state machines are augmented, such that theyhalt in one particular state. This is necessary for Mealy machines andBSS′ machines that are not intended for use with Turing platforms intheir cryptographically enhanced form. The augmentation is also intendedto partially obscure the workings of the machine by introducingredundant states and transitions, without affecting the machine'sfunctionality during any error-free execution. Therefore, augmentationmay be beneficial also for Mealy and BSS′ machines intended for use withTuring platforms in their cryptographically enhanced form. The augmentedmachine will be called M′. The augmentation is carried out using thefollowing steps:

-   -   If M does not have an output symbol B reserved as a “blank”        symbol (i.e., a symbol indicating that there is no semantic        content), add a new symbol B (which cannot equal any symbol in        Δ) to the output alphabet Δ, setting Δ′=Δ∪{B}, otherwise set        Δ′=Δ, and call B the previously reserved “blank” symbol (also        referred to herein as the stopping state output symbol).    -   If M has a state q∈Q such that for all inputs σ∈Σ no pair (q,σ)        is contained in D, then call the state q_(a) and define Q′=Q. If        M has a state q∈Q such that for all inputs σ∈Σ, δ(q,σ)=q, call        the state q_(a), set λ(q,σ)=B for all inputs σ∈Σ, and define        Q′=Q. Otherwise:        -   add a new state, such that Q′={q_(a)}∪Q,        -   for every node q≠q_(a) such that δ(q,σ)=q for all inputs            σ∈Σ, set δ(q,σ)=q_(a) and λ(q,σ)=B for every σ∈Σ.            Q′ is the set of states of M′. The state q_(a) hereinafter            is referred to as “the augmentation state”. M′ is the            augmented Mealy machine.

The next step is to determine the number of elements in Q′ and Δ, andhow they are to be represented using (possibly one-dimensional) vectorsover the ring Z_(N) of integers modulo N. This step determines the leastpossible selectable N. If the Mealy machine is to be represented usingpolynomials, N must be a prime number. If the Mealy machine is to berepresented using function tables, N does not have to be a prime number.When N has been selected, the elements of Q′ are given a representationin Z_(N) ^(S), S≧1 fixed. Similarly, the elements of Δ are representedby elements in Z_(N) ^(O), O≧1 fixed; and the elements of Σ arerepresented by elements in Z_(N) ^(I), I≦0 fixed. Thus, Q^(/) ⊂Z_(N)^(S), Δ⊂Z_(N) ^(O), and Σ⊂Z_(N) ^(I).

-   -   Set Δ′=Δ. The next step can be done in four different ways:        -   1. Nothing more is done to complete the state transition            table of M′, and the undefined entries are marked as such.            This requires an additional table with flags, each flag            marking whether a corresponding entry in the state            transition table is defined or not. This may only be done if            the Mealy machine is represented using polynomials.        -   2. If Q′ contains a number of states less than that            representable within Z_(N) _(S) , add dummy states to Q′,            until it contains N^(S) states. If Σ contains a number of            inputs less than that representable within Z_(N) ₁ , add            dummy input symbols to Σ until it contains N¹ symbols. If Δ′            contains a number of outputs less than that representable            within Z_(N) _(o) , add dummy output symbols to Δ′ until it            contains N^(o) symbols. For each pair (q,σ)∉D, set            δ′(q,σ)=q_(a) and λ′(q,σ)=B, where B is a fixed symbol            chosen from the output alphabet.        -   3. If Q∪{q_(a)} contains a number of states less than that            representable within Z_(N) _(S) , do the following until Q′            contains N^(S) states:            -   For a randomly chosen state q∈Q (alternatively the                current Q′-({q_(a)}) add a state q′ to Q′.            -   For every input σ∈Σ set δ′(q′,σ)=δ(q,σ).            -   Optionally, one may also for every pair (q,σ)∈Q′×Σ such                that δ(q,σ)=q, randomly set δ′(q′,σ) to q or q′.            -   If Σ contains a number of inputs less than that                representable within Z_(N) ₁ , add dummy input symbols                to Σ′ until it contains N¹ symbols. If Δ′ contains a                number of outputs less than that representable within                Z_(N) _(o) , add dummy output symbols to Δ′ until it                contains N^(o) symbols. For each pair (q,σ)∉Q′×Σ, set                δ′(q,σ) to a random q′∈Q′ and set λ′(q,σ) to a random                symbol from Δ′.        -   4. If Q′ contains a number of states less than that            representable within Z_(N) _(S) , add dummy states to Q′,            until it contains N^(S) states. If Σ contains a number of            inputs less than that representable within Z_(N) ₁ , add            dummy input symbols to Σ′ until it contains N¹ symbols. If            Δ′ contains a number of outputs less than that representable            within Z_(N) _(o) , add dummy output symbols to Δ′ until it            contains N^(O) symbols. For each pair (q,σ)∉ D, set δ′(q,σ)            equal to a random q′∈Q′ and set λ′(q,σ) equal to a random            symbol from the output alphabet.    -   Define the domain of M′ to be D′=Q′×Σ′. The resulting M should        now be somewhat differently from M, yet still compute the same        function as M.    -   Three optional additional steps may be carried out, provided the        augmentation made use of methods 2-4 above. Each of the options        is independent of the others, so that any embodiment may elect        to employ one of, two of, or all of the three steps described        below.        -   First, it is possible to permute some or all of the states            without affecting the computation carried out by M′. When            interchanging a state q with q′, δ′(q,σ) takes on the old            value of δ′(q′,σ) for every σ∈Σ′, and vice-versa. Similarly,            λ′(q,σ) takes on the old value of λ′(q′,σ) for every σ∈Σ′.            The interchanges may be made one by one or may be entirely            precomputed in the form of a permutation expressed using a            function table.        -   Second, it is possible to permute part or all of the            extended input alphabet Σ′. When interchanging a symbol σ            with σ′, δ′(q,σ) takes on the old value of δ′(q,σ) for every            q∈Q′ and vice-versa. Similarly, λ′(q,σ) takes on the old            value of λ′(q,σ′) for every q∈Q′ and vice-versa. The            interchanges may be made one by one or may be entirely            precomputed in the form of a permutation expressed using a            function table. These interchanges, however, must have            corresponding interchanges in the output alphabet for any            symbols used to represent state information. Changes must be            made known to the host that is to execute the            cryptographically enhanced Mealy machine if they affect            inputs to be made by the host platform. Thus at some changes            may have to be recorded during augmentation.        -   Third, it is possible to permute part or all of the extended            output alphabet Δ′. When interchanging a symbol x with            another symbol x′, every x′(q,σ)=x takes on the value x′.            Similarly every λ′(q,σ)=x′ takes on the value x. Similar            restrictions apply to this operation as with the permutation            of the extended input alphabet. Changes must be made known            to the host that is to execute the cryptographically            enhanced Mealy machine if they affect outputs to the remote            host platform. Thus at some changes may have to be recorded            during augmentation.        -   Note that x, x′, q, q′, σ, σ′, λ, λ′, and δ′ may or may not            have vectorized representations. The act of permuting            certain vector components of, say σ, is the same as            selecting a subset of Σ′ which one intends to permute.

The next step is the specification of what will be called the full statevector of M. This vector is written:({right arrow over (x)}(i), {right arrow over (z)}(i), {right arrow over(y)}(i))=(x ₁(i), . . . , x _(S)(i), z ₁(i), . . . , z _(O)(i), y ₁(i),. . . , y _(I)(i)),where {right arrow over (x)}(i) is a vector containing the state of theMealy machine after i computation steps, {right arrow over (z)}(i) is avector containing the output after i computation steps, and {right arrowover (y)}(z) is a vector containing the input given at the i^(th)computation step. This is a notational convenience, which is adapted tothe subsequent descriptions of the cryptosystem(s).

In some embodiments where the Mealy machine is represented usingpolynomials, the coefficients of the polynomials $\begin{matrix}{{a_{i}(x)} = {\left( {\prod\limits_{i \in Z_{N}}\frac{x - k}{i - k}} \right)\quad{mod}\quad N}} & (15)\end{matrix}$for i∈Z_(N) are precomputed and stored to improve efficiency. Note thathenceforth, all computation is done modulo N.

It is possible to compute the polynomial mappings for M's representedwith polynomials using interpolation as shown below:${{\overset{\sim}{\delta}\left( {\overset{\rightarrow}{x},\overset{\rightarrow}{y}} \right)} = {\sum\limits_{{({\overset{\rightarrow}{i},\overset{\rightarrow}{j}})} \in D^{\prime}}{{a_{i_{1}}\left( x_{1} \right)}\quad\cdots\quad{a_{i_{S}}\left( x_{S} \right)}{{a_{j}}_{i}\left( y_{1} \right)}\quad\cdots\quad{a_{j_{1}}\left( y_{I} \right)}{\delta^{\prime}\left( {\overset{\rightarrow}{x},\overset{\rightarrow}{y}} \right)}}}},{and}$${\overset{\sim}{\lambda}\left( {\overset{\rightarrow}{x},\overset{\rightarrow}{y}} \right)} = {\sum\limits_{{({\overset{\rightarrow}{i},\overset{\rightarrow}{j}})} \in D^{\prime}}{{a_{i_{1}}\left( x_{1} \right)}\quad\cdots\quad{a_{i_{S}}\left( x_{S} \right)}{{a_{j}}_{i}\left( y_{1} \right)}\quad\cdots\quad{a_{j_{1}}\left( y_{I} \right)}{\lambda^{\prime}\left( {\overset{\rightarrow}{x},\overset{\rightarrow}{y}} \right)}}}$The resulting machine is called {overscore (M)}.

Given {overscore (M)}′s state after n state-transitions, {right arrowover (x)}(n), and the (n+1)^(st) input {right arrow over (y)}(n), thenext state transition and output is computed by the mapping:{tilde over (δ)}₁({right arrow over (x)}(n), {right arrow over (y)}(n)),. . . , {tilde over (δ)}_(s)({right arrow over (x)}(n), {right arrowover (y)}(n)), {tilde over (λ)}₁({right arrow over (x)}(n), {right arrowover (y)}(n)), . . . , {tilde over (λ)}_(o)({right arrow over (x)}(n),{right arrow over (y)}(n)  (16)The computation of M′ transformed is executed by iterating the mappinggiven in equation 16. This gives the relations (originally presented asequations (2)-(4)): $\begin{matrix}{{\overset{\rightarrow}{x}(n)} = \left\{ \begin{matrix}{{\overset{\sim}{\delta}\left( {{\overset{\rightarrow}{x}\left( {n - 1} \right)},{\overset{\rightarrow}{y}\left( {n - 1} \right)}} \right)},{{{for}\quad n} > 0}} \\{{{given}\quad{for}\quad n} = 0}\end{matrix} \right.} & (17) \\{{\overset{\rightarrow}{z}(n)} = \left\{ \begin{matrix}{{\overset{\sim}{\lambda}\left( {{\overset{\rightarrow}{x}\left( {n - 1} \right)},{\overset{\rightarrow}{y}\left( {n - 1} \right)}} \right)},{{{for}\quad n} > 0}} \\{{{given}\quad{for}\quad n} = 0}\end{matrix} \right.} & (18) \\{{{\overset{\rightarrow}{y}(n)}\quad{is}\quad{given}\quad{for}\quad n} \geq 0.} & (19)\end{matrix}$

The original machines defined by Blum, Shub, and Smale are defined overa ring R, each having:

-   -   a state space R^(S),    -   an output space R^(O),    -   an input space R^(I), and    -   a graph defining its computations,        where S, O, and I are positive integers. The graph of any        machine has four node variants, numbered by type in the list        below:    -   1. Input node (node of type 1)        -   This node has one outgoing edge to the node numbered (n) and            no incoming edges. The number of the input node is n.            Associated with this node is the injective input mapping            I:R^(I)→R^(S). There is only one input node in any automaton            over R.    -   2. Output node (node of type 2)        -   These nodes have one incoming edge, and no outgoing edges.            The computation of the automaton is finished when an output            node is reached. Each of these nodes has an output mapping            O_(n): R^(S)→R^(O), where n is the number of the node in            question.    -   3. Computation node (node of type 3)        -   Each node of this type, numbered n, has one incoming and one            out-going edge to node number β(n). Each such node has a            mapping g_(n):R^(S)→R^(S). g_(n) is in general rational for            R a field, and polynomial otherwise.    -   4. Branch node (node of type 4)        -   Each node number n of this type has one incoming edge, and            two outgoing edges to the nodes numbered β⁻(n) and β⁺(n).            Each such node has a polynomial or rational. (for R a field)            mapping h_(n): R^(S)→R. If R is an ordered ring, the            automaton “moves” to node β⁻(n) when h_(n)({right arrow over            (x)})<0, {right arrow over (x)}∈R^(S), and to node number            β⁺(n) when h_(n)({right arrow over (x)})≧0. If R is not            ordered, the automaton “moves” by convention to node β⁻(n)            when h_(n)({right arrow over (x)})=0 and to node number            β⁺(n) when h_(n)({right arrow over (x)})≠0.

A BSS′ machine “moves” by executing the following steps until it haltsat an output node or cannot execute another computation step for somereason:

-   -   1. Compute the new state {right arrow over (x)}→g_(n)({right        arrow over (x)}); and    -   2. Change “location” from node number n to the next node, which        is node number β(n), or one of β⁺(n) or β⁻(n) for a branch node.

The set of node numbers from 1 to p can be written {overscore (N)}. ABSS machine thus has p nodes in all. The full state space of aBlum-Shub-Smale machine is then {overscore (N)}×R^(S). It is possible toexpress the computation of a Blum-Shub-Smale machine using only the“computing endomorphism”H: {overscore (N)}×R^(s)→{overscore (N)}×R^(s).The computing endomorphism generally has the formH(n,{right arrow over (x)})=(β( n, χ({right arrow over (x)}), g_(n)({right arrow over (x)}),where β is the next node function, computing the node the automaton isto “move” to when g_(n) has been applied to the state vector {rightarrow over (x)}. The sign function, denoted by χ({right arrow over(x)}), is defined as follows: $\begin{matrix}{{\chi\left( \overset{\rightarrow}{x} \right)} = \left\{ \begin{matrix}{1,{x_{1} > 0}} \\{1,{x_{1} = 0}} \\{{- 1},{x_{1} < 0}}\end{matrix} \right.} & (20)\end{matrix}$

The next node function β(n, σ):{overscore (N)}×{−1,0,1}→{overscore (N)}is in general $\begin{matrix}{{\beta\left( {n,\sigma} \right)} = \left\{ \begin{matrix}{{\beta(n)},} & {n < {p\quad{and}\quad n\quad{is}\quad{not}\quad a\quad{branch}\quad{node}}} \\{{\beta^{+}(n)},} & {{{n\quad{is}\quad a\quad{branch}\quad{node}\quad{and}\quad\sigma} = 0},1} \\{{\beta^{-}(n)},} & {{n\quad{is}\quad a\quad{branch}\quad{node}\quad{and}\quad\sigma} = {- 1}}\end{matrix} \right.} & (21)\end{matrix}$

In an alternate embodiment, an additional constraint is added such thatβ(p) must equal p.

In order to understand the extent of the modifications introduced lateron, it is necessary to have an overview of the general functionalcomposition of the computing endomorphism H. Fix a Blum-Shub-Smalemachine M over Z_(N) for a prime number N. When N is a prime number,Z_(N) is finite field. Let B={branch nodes in M}, and let a_(i)(x) bedefined as $\begin{matrix}{{{a_{i}(x)} = {\left( {\prod\limits_{i \in \overset{\_}{N}}\frac{x - k}{i - k}} \right)\quad{mod}\quad N}},} & (22)\end{matrix}$When y∈{overscore (N)}, a_(n)(y)=1 if and only if n=y, otherwisea_(n)(y)=0. For y∉{overscore (N)}, a_(n)(y) produces nonsense. It isnecessary to know that β(y,σ)=β(y, χ({right arrow over (x)})) isexpressible as a polynomial, for which an expression can be found in thearticle by Blum, Shub, and Smale. When computing β(y,σ) for a node,σ=χ({right arrow over (x)}) must be evaluated. Over a finite field it ispossible to express χ as a polynomial.

A mapping g(n, {right arrow over (x)})=g_(n)({right arrow over (x)})does all “useful” computation in M. Let${{g\left( {y,\overset{\rightarrow}{x}} \right)} = {\sum\limits_{n \in N}{{a_{n}(y)}{{g_{n}\left( \overset{\rightarrow}{x} \right)}.\quad{Generally}}}}},{{g_{n}\left( \overset{\rightarrow}{x} \right)} = \left( {\frac{f_{n,1}\left( \overset{\rightarrow}{x} \right)}{q_{n,1}\left( \overset{\rightarrow}{x} \right)},\frac{f_{n,2}\left( \overset{\rightarrow}{x} \right)}{q_{n,2}\left( \overset{\rightarrow}{x} \right)},\frac{f_{n,3}\left( \overset{\rightarrow}{x} \right)}{q_{n,3}\left( \overset{\rightarrow}{x} \right)},\ldots} \right)},$where f_(n,l)({right arrow over (x)}) and q_(n,l)({right arrow over(x)}) are polynomials in general. If n is a computation node, f_(n,l) isa polynomial in {right arrow over (x)} with its dimension bounded by thedim M, and degree bounded by deg M. If n is not a computation node, thenq_(n,l)({right arrow over (x)})≡1 and p_(n) ^(l)({right arrow over (x)})is identical to the l^(th) component of {right arrow over (x)} for alll. It is then possible to express g(n, {right arrow over (x)}) as:$\begin{matrix}{{g_{n}\left( \overset{\rightarrow}{x} \right)} = {\left( {\frac{\sum\limits_{n \in \overset{\_}{N}}{{a_{n}(y)}{f_{n,1}\left( \overset{\rightarrow}{x} \right)}}}{\sum\limits_{n \in \overset{\_}{N}}{{a_{n}(y)}{q_{n,1}\left( \overset{\rightarrow}{x} \right)}}},\frac{\sum\limits_{n \in \overset{\_}{N}}{{a_{n}(y)}{f_{n,2}\left( \overset{\rightarrow}{x} \right)}}}{\sum\limits_{n \in \overset{\_}{N}}{{a_{n}(y)}{q_{n,2}\left( \overset{\rightarrow}{x} \right)}}},\ldots} \right).}} & (23)\end{matrix}$This gives the explicit expression for the computing endomorphism for Min the formH(n, {right arrow over (x)})=(β( n, χ({right arrow over (x)})), g(n,{right arrow over (x)})).  (24)At this stage, H is at best piecewise polynomial. In order to encryptsuch a machine with polynomial mappings, it must be modified.

For adaption to encrypted computation, the following changes are made:

-   -   An integer N is selected using the following criteria:    -   1. N must be a prime number.    -   2. N must be at least as great as the number of nodes (N≧p).    -   3. N must make allowance for any constants selected as important        by the user, meaning that N must be greater than any such        selected constant.    -   4. N must accommodate any other requirements on it imposed by        the user, if possible.    -   R is restricted to the class of finite fields R=Z_(N) for the        selected N. This ensures that no polynomials over Z_(N) have        more than N^(d) coefficients, where d is the number of variables        of a given polynomial. This is due to the fact that for any        x∈Z_(N), x^(e)=x^(e′) for some e>N−1 and 0<e′≦N.    -   Each g_(n) may only be polynomial, so each q_(n,l)≡1.    -   By convention, nodes are numbered from 0 to p−1 instead of from        1 to p.    -   The full state space concept is changed to include both the        input and output spaces, such that the full state space S is        now:        S=Z _(N) ×Z _(N) ^(S) ×Z _(N) ^(O) ×Z ^(I) _(N)    -    giving 1+S+O +I components in all.    -   Every mapping g_(n) is the identity for all the last I        components. This ensures that the machine cannot write to input.    -   No mapping g_(n) may have as variables any of the components        1+S+1 to 1+S+O. This ensures that no output is used in further        computation.    -   All nodes accept input from the last I components in the full        state vector {right arrow over (x)}∈S without use of any special        input mapping.    -   All nodes compute output to components number 1+S+1 through        1+S+O.    -   There are only two types of nodes:    -   1. computation nodes: these may contain a computation, and/or a        branching; and    -   2. halting nodes: these nodes have at least two incoming edges        (one from itself), and only one outgoing edge to itself.    -   As an option, one may explicitly list halting nodes of the        machine, or define certain output symbols as “halting signals”        (as per the symbol “B” for augmented Mealy machines), or do        both.

Since the modified machines are constructed over Z_(N), which containsonly non-negative integers, the original version of the branch nodebecomes meaningless. Instead, the next-node function takes the formβ:{overscore (N)}×Z_(N)→{overscore (N)}. To simplify, require {overscore(N)}⊂Z_(N), even though one could make do with a smaller prime than someN≧p for the state-space. This implies that β is extended to β:Z_(N)²→Z_(N).

The selected replacement relation for branch nodes is a series ofrelations of the type ∈K⊂(Z_(N)−{0}). For each node n there is a list ofmutually disjoint subsets of Z_(N)−{0}. Define K_(n) to be the union ofall K_(n,j). For any K⊂Z_(N)−{0} define $\begin{matrix}{{b_{K}(z)} = {\left( {\prod\limits_{i \in {Z_{N} - K}}\left( {z - i} \right)^{N - 1}} \right)\quad{mod}\quad{N.}}} & (25)\end{matrix}$When z∈Z_(N), b_(K)(z) maps to 1 if and only if z∈K and to 0 otherwise.The function b_(K) exploits a property of elements of the finitemultiplicative subgroup Z_(N)* of the finite field Z_(N), whicheffectively implies x^(N−1)=1 mod N. Since 0 is not in this subgroup, itdoes not satisfy this property, and thus cannot be included in K.

Let B⊂Z_(p) be the set of all branch nodes. Using b_(K), it becomespossible to express β using a polynomial: $\begin{matrix}{{{\beta\left( {n,x} \right)} = {\sum\limits_{i = 0}^{p - 1}{{a_{i}(n)}{\Delta\left( {i,x} \right)}}}},{where}} & (26) \\{\left( {i,x} \right) = \left\{ \begin{matrix}{n^{\prime},} & {i \notin B} \\{{{\sum\limits_{j = 1}^{j_{i}}{{b_{K_{i,j}}(x)}n_{i,j}}} + {\left( {1 - {b_{K_{n}}(x)}} \right)n^{''}}},} & {i \in {B.}}\end{matrix} \right.} & (27)\end{matrix}$

The constants n′, n″, and all n_(i,j) are all elements in Z_(p), thenode space. This enables the expression of the computing endomorphism ofthe BSS′ machine as a polynomial over Z_(N). Thus the computingendomorphism for the modified BSS′ machine over Z_(N) is:$\begin{matrix}{{{H\left( {n,\overset{\rightarrow}{x}} \right)} = \left( {{\beta\left( {n,x_{c_{i}}} \right)},{\sum\limits_{i = 0}^{p - 1}{{a_{i}(n)}{g_{i}\left( \overset{\rightarrow}{x} \right)}}}} \right)},} & (28)\end{matrix}$where 1≦C_(i)≦d is fixed for the node.

It is also possible to take a further step, using the resultingpolynomial expression to fill in a function table for H, such thatcomputation can be done by using the function table. Such a functiontable may have its entries and indices represented in any vectorizationdeemed convenient for the purposes of its application.

Let a mapping f(x₁, . . . ,x_(m))=(f₁(x₁, . . . ,x_(m)), . . .,f_(n)(x₁, . . . ,x_(m))) be given as a table indexed by (x₁, . . .,x_(m)). The table entry (f₁, . . . ,f_(n)) at (x₁, . . . ,x_(m)) is themapping evaluated at (x₁, . . . ,x_(m)). Assume f is a mapping fromZ_(N) ^(m) to Z_(N) ^(n), where N, m and n are positive integers (thatdo not have to be prime numbers). Then f can be completely defined byits function table.

The mapping f is prepared for symbolic composition by generating a newfunction t:Z_(N) _(m) →Z_(N) _(n) . Every entry (f₁, . . . ,f_(n))corresponding to (x₁, . . . ,x_(m)) is placed in entry numberX=N^(m−1)x_(m)+ . . . +N¹x₂+x₁ as the number F=N^(n−1)f_(n)+ . . .+N¹f₂+f₁. Note that X and F are both integers.

Let g be a mapping from Z_(N) ^(n) to Z_(N) ^(o) and t_(g) be preparedfor g as t was for f. Denote by t_(gf) the function table defining thecomposition of g with f. Symbolic composition of g with f is done bysetting t_(gf)(X)=t_(g)(t(X)) for every X∈Z_(N) _(m) . Denote by t_(fh)the function table defining the composition of f with h₁, . . . ,h_(m).Symbolic composition of f with h₁, . . . ,h_(m) is done by settingt_(fh)(X)=t(N^(m−1)t_(m)(X)+ . . . +N¹t₂(X)+t₁(X)) for every X∈Z_(N)_(m) .

After composition, the resulting function table may be converted backinto a polynomial representation, provided N is a prime number. Given afunction table t:Z_(N) _(m) →Z_(N) _(n) , t may be converted into apolynomial as follows:

-   -   Create a table t′ indexed by tuples on the form (x₁, . . .        ,x_(m)), whose entries are tuples on the form (f₁, . . .        ,f_(n)).    -   For every tuple of arguments, (x₁, . . . ,x_(m)):        -   compute X=N^(m−1)x_(m)+ . . . +N¹x₂+x₁.        -   Set F=t(X). Reduce F to a base-N representation, such that F            is represented by a tuple (f₁, . . . ,f_(n)).        -   Set the tuple in t′ indexed by (x₁, . . . ,x_(m)) to (f₁, .            . . ,f_(n)).    -   Using t′ as the interpolation data, one may optionally        symbolically interpolate a polynomial to find the polynomial        form of the function composition.

A function f can also be composed with multivariate functions which donot have a number of variables directly corresponding to f′s number ofcomponents or a number of components directly corresponding to f′snumber of variables. Let a mapping f(x₁, . . . ,x_(m))=(f₁(x₁, . . .,x_(m)), . . . ,f_(n)(x₁, . . . ,x_(m))) be given as a table indexed by(x₁, . . . ,x_(m)). The table entry (f₁, . . . ,f_(n)) at (x₁, . . .,x_(m)) is the mapping evaluated at (x₁, . . . ,x_(m)). Assume f is amapping from Z_(N) ^(m) to Z_(N) ^(n), where N, m and n are positiveintegers (that do not have to be prime numbers). Then f can becompletely defined by its function table.

The mapping f is prepared for symbolic composition by generating a newfunction t:Z_(N) _(m) →Z_(N) _(n) . Every entry (f₁, . . . ,f_(n))corresponding to (x₁, . . . ,x_(m)) is placed in entry numberX=N^(m−1)x_(m)+ . . . +N¹x₂+x₁ as the number F=N^(n−1)f_(n)+ . . .+N₁f₂+f₁. Note that X and F are both integers. There are two cases to beconsidered:

-   -   1. the symbolic composition of f with h₁, . . . ,h_(k), using        function tables, such that one computes f(h₁(x₁, . . . ,x_(c) ₁        ),h₂(x_(c) ₁ ₊₁, . . . ,x_(c) ₁ _(+c) ₊₂ ), . . . ,h_(k)(x_(m−c)        _(k) ₊₁,x_(m))) where ${{\sum\limits_{i = 1}^{k}c_{i}} = m},$    -    every, c₁ being a positive integer, and    -   2. the symbolic composition of h₁, . . . ,h_(k) with f, using        function tables, such that one computes (h₁(f₁(x₁, . . .        ,x_(m)), . . . ,f_(c) ₁ (x₁, . . . ,x_(m))), . . .        ,h_(k)(f_(n−c) _(k) ₊₁(x₁, . . . ,x_(m)), . . . ,f_(n)(x₁, . . .        ,x_(m)), where Σ_(i=1) ^(k) c_(i)=n, every, c_(i) being a        positive integer.

For case 1, denote by t_(fh) the function table defining the compositionof f with h₁, . . . ,h_(k). The mappings h_(i):Z_(N) ^(c) ^(i) →Z_(N)^(c) ^(i) are prepared for composition by computing a function tablet_(h,i):Z_(N) _(c) _(i)→Z_(N) _(c) _(i), where every mapping value(h_(i,1), . . . ,h_(i,c) _(i) ) corresponding to a (x_(a+1), . . .,x_(a+c) _(i) ), where ${a = {\sum\limits_{j = 1}^{i - 1}c_{j}}},$is placed in entry number X=N^(c) ^(i) ⁻¹x_(a+c) _(i) + . . .+N¹x_(a+2)+x_(a+1) as the number H=N^(c) ^(i) ⁻¹h_(i,c) _(i) + . . .+N¹h_(i,2)+h_(i,1).

The symbolic composition of f with h₁, . . . ,h_(k) is done as follows:

-   -   For every i from 1 to k set y_(i)=N^(c) ^(i) .    -   Set a vector (b₁, . . . ,b_(k)) to (0, . . . ,0) and reserve a        vector (b₁′, . . . ,b_(k)′).    -   For every i from 0 to N^(m) do:        -   Set u=0.        -   For every j from k to 1 do:            -   Set b_(j)′=t_(h,f)(b_(j)).            -   Multiply u by y_(j).            -   Add b_(j)′ to u.        -   Set t_(fh)(i) to t_(f)(u).        -   Increment the vectorized index (b₁, . . . ,b_(k)), taking            into account that b₁ is in base y₁, b₂ is in base y₂, . . .            ,b_(k) is in base y_(k).

After the composition, the resulting function table may be optionally beconverted into a polynomial representation. This procedure is identicalto that described above for the previously discussed function tablecompositions.

For case 2, denote by t_(hf) the function table defining the compositionof f with h₁, . . . ,h_(k). The mappings h_(i):Z_(N) ^(c) ^(i) →Z_(N)^(c) ^(i) are prepared for composition by computing a function tablet_(h,i):Z_(N) _(c) _(i)→Z_(N) _(c) _(i), where every mapping value(h_(i,1), . . . ,h_(i,c) _(i) ) corresponding to a (x_(a+1), . . .,x_(a+c) _(i) ), where ${a = {\sum\limits_{j = 1}^{i - 1}c_{j}}},$is placed in entry number X=N^(c) ^(i) ⁻¹x_(a+c) _(l) + . . .+N¹x_(a+2)+x_(a+1) as the number H=N^(c) ^(i) ⁻¹h_(i,c) _(i)+ . . .+N¹h_(i,2)+h_(i,1).

The symbolic composition of h₁, . . . ,h_(k) with f is done as follows:

-   -   Set y₁=1;    -   For every i from 2 to k set y_(i)=y_(i−1)N^(c) ^(i−1) .    -   Set a vector (b₁, . . . ,b_(k)) to (0, . . . ,0) and reserve a        vector (b₁′, . . . ,b_(k)′).    -   For every i from 0 to N^(n) do:        -   Set u=t_(f)(i).        -   Set q=0.        -   For ever j from k to 1 do:            -   Set p to the integer result of u/y_(j).            -   Set u=u−py_(j).            -   Set b_(j) to t_(h,f)(u).            -   Add y_(j)b_(j) to q        -   Set t_(hf)(i) to q.

A function f can also be composed with multivariate functions that donot have a number of variables directly corresponding to f′s number ofcomponents or a number of components directly corresponding to f′snumber of variables, and that in addition may “reuse” one or morevariables. Thus each variable may be used in more than one mappingh_(i), and there is no explicit requirement that any given variable beused at all by any of the h_(i). Let a mapping f(x₁, . . .,x_(m))=(f₁(x₁, . . . ,x_(m)), . . . ,f_(n)(x₁, . . . ,x_(m))) be givenas a table indexed by (x₁, . . . ,x_(m)). The table entry (f₁, . . .,f_(n)) at (x₁, . . . ,x_(m)) is the mapping evaluated at (x₁, . . .,x_(m)) Assume f is a mapping from Z_(N) ^(m) to Z_(N) ^(n), where N, mand n are positive integers (that do not have to be prime numbers). Thenf can be completely defined by its function table.

The mappings f may in some embodiments be prepared for symboliccomposition by generating a new function t:Z_(N) _(m) →Z_(N) _(n) as forpreviously described methods of composition. The mappings h₁, . . .,h_(k) may be prepared similarly for some embodiments. As earlier,{right arrow over (w)}_(i) denotes i^(th) group of variables. There aretwo cases to be considered:

-   -   1. the symbolic composition of f with h₁, . . . ,h_(k), using        function tables, such that one computes f(h₁(x_(e(1,1)), . . .        ,x_(e(1,d) ₁ ₎), . . . ,h_(k)(x_(e(k,1)), . . . ,x_(e(k,d) _(k)        ₎)), where ${{\sum\limits_{i = 1}^{k}c_{i}} = m},$    -    every c_(i) being a positive integer, each d_(i)≧1, e(i,j) is        the index of the variable “originally fed to f” fed into the        j^(th) variable in mapping h_(i); and    -   2. the symbolic composition of h₁, . . . ,h_(k) with f, using        function tables, such that one computes        (h₁(f_(e) _(/) _((1,1))(x₁, . . . ,x_(m)), . . . ,f_(e) _(/)        _((1,c) ₁ ₎(x₁, . . . ,x_(m)),x_(e(1,1)), . . . ,x_(e(1,d) ₁ ₎),        . . . , h_(k)(f_(e) _(/) _((k,1))(x₁, . . . ,x_(m)), . . .        ,f_(e) _(/) _((k,c) _(k) ₎(x₁, . . . ,x_(m)),(x_(e(k,1)), . . .        ,x_(e(k,d) _(k) ₎)),    -    where each c_(i)≧1, e′(i,j) is the index of a component of f,        each d_(i)≧1, e(i,j) is the index of the variable “originally        fed to f” fed into the j^(th) variable in mapping h_(i).

For case 1, denote by t_(fh) the function table defining the compositionof f with h₁, . . . ,h_(k). The symbolic composition of f with h₁, . . .,h_(k) is done as follows:

-   -   Set a vector (a₁, . . . ,a_(m)) to (0, . . . ,0).    -   For every i from 0 to N^(m) do:        -   For every j from k to 1 compute h_(j)(a_(e(j,1)), . . .            ,a_(e(j,d) _(j) ₎);        -   set t_(fh)(a₁, . . . ,a_(m))=f(h₁, . . . ,h_(k));        -   Increment the vectorized index (a₁, . . . ,a_(m)).

After the composition, the resulting function table may be optionally beconverted into a polynomial representation. This procedure is identicalto that described above for the previously discussed function tablecompositions, and requires that N be a prime number. This compositionmethod has many different potential embodiments, depending on thecontext in which the method is used. An example is the method ofparametrized encryption of the register machine, presented later on,where this method is incorporated into the method of encryption in ahighly specialized version.

For case 2, denote by t_(hf) the function table defining the compositionof f with h₁, . . . ,h_(k). As with the variables in case 1, there is noexplicit requirement that all components of f must be used. Also theymay be used by more than one h_(i) mapping.

The symbolic composition of h₁, . . . ,h_(k) with f is done as follows:

-   -   Set a vector (a₁, . . . ,a_(m)) to (0, . . . ,0).    -   For every i from 0 to N^(m) do:        -   For every j from k to 1 compute h_(j)(f_(e) _(/) _((j,1)), .            . . ,f_(e) _(/) _((j,c) _(j) ₎,x_(e(j,1)), . . . ,x_(e(j,d)            _(j) ₎)        -   Set t_(hf)(a₁, . . . ,a_(m))=(h₁, . . . ,h_(k)).        -   Increment the vectorized index (a₁, . . . ,a_(m)).

As with the previous case, the result of this composition can beconverted into a polynomial, provided N is a prime number. Also thismethod of composition can be highly specialized, with actual embodimentcharacteristics depending on application context. In addition to usingthe composition method of the previous case, the parametrized encryptionmethod also makes use of this composition method, and is an example of aspecialized embodiment of the method.

The method of encryption of polynomial mappings using univariatepolynomials uses key pairs described by a prime number N and key pairs(r_(i), s_(i)). The number N is given by the specification of themapping to be encrypted. Each key pair r_(i) and s_(i) are univariatepolynomials computing non-linear permutations of Z_(N) such thats_(i)(r_(i)(x))=x for x∈Z_(N). From the particular properties of thefield Z_(N), r_(i) and s_(i) are always uniquely expressible aspolynomials over Z_(N) with at most N non-zero coefficients. Equal keypairs are allowed, such that for some i and some j≠i, r_(i)=r_(j) ands_(i)=s_(j). The user may also choose to let some pairs be the identitymapping x, such that r_(i)=s_(i)=x. All apparatus for computationsdescribed below may or may not make use of precomputed tables for one ormore of the following operations, dependent on what the most efficientmeans of computation for any given operational environment is:

-   -   addition modulo N    -   subtraction modulo N    -   incrementation modulo N    -   exponentiation modulo N    -   multiplication modulo N    -   multiplicative inversion modulo N.

One assumes the user has a source of random numbers (or pseudo-randomnumbers with period much greater than N^(N)). The number of key pairs(r_(i), s_(i)) to be generated is dependent on the number of functioncomponents and variables in the plaintext mapping.

In one embodiment, the coefficients of the functions${a_{k}(x)} = {\prod\limits_{{0 \leq j < N},{j \neq k}}\frac{x - j}{k - j}}$are precomputed modulo N using an algorithm based on Horn polynomialevaluation and stored in a two-dimensional array a(k,j), where 0≦k<Ngives the function subscript, and 0≦j<N the individual coefficient. Inan alternate embodiment, the coefficients are calculated as needed.

The procedure then generates pairs (r_(i), s_(i)) for those key pairsnot chosen to be the identity mappings, and those not copied frompreviously generated key pairs (because they are chosen to be equal).

Accordingly, for each pair, let R and S be arrays of N numbers in Z_(N)indexed from 0 to N−1. Every element of S is initiated to the negativeinteger −1. For every 0≦k<N a random number j∈Z_(N) is generated untilS(j)=−1. Then one sets R(k)=j and S(j)=k.

The encryption key r_(i)(x), which is a univariate polynomial, is thensymbolically interpolated using the array R according to the expression:${r_{i}(x)} = {\sum\limits_{j = 0}^{N - 1}{{a_{j}(x)}{{R(j)}.}}}$Thus the k^(th) coefficient is computed as the$\left( {\sum\limits_{j = 0}^{N - 1}{{a\left( {j,k} \right)}{R(j)}}} \right)\quad{mod}\quad N$Similarly, the decryption key s_(i)(x) is interpolated using the array Saccording to the expression:${s_{i}(x)} = {\sum\limits_{j = 0}^{N - 1}{{a_{j}(x)}{{S(j)}.}}}$The coefficients of s_(i) are computed in the same manner as for r_(i).If r_(i) and s_(i) are linear, the procedure is repeated until r_(i) isnon-linear or a preset limit for generation attempts is exceeded.

Only polynomial mappings in the form h:Z_(N) ^(d)→Z_(N) ^(e) _(N) whereh(x₁, . . . , x_(d))=(h₁(x₁, . . . , x_(d)), . . . , h_(e)(x₁, . . . ,x_(d))) may be encrypted. Prior to encryption, one must decide whichx_(i) to decrypt. Let I⊂{e+1, . . . , e+d} be this set. In addition, onemust decide which mapping components to encrypt. Let J⊂{1, . . . , e} bethis set. All keypairs (r_(i), s_(i)) such that i∉I∪J are then set tothe identity mapping x.

Encryption is achieved by replacing each x_(j) where (j+e)∈I, withs_(j+e)(x_(j)), and each h_(i)( ) where i∈J with r₁(h₁( . . . )), suchthat one composes r₁ with h₁ symbolically. The resulting expression willbe:r₁(h₁(s_(e+1)(x₁), . . . ,s_(e+d)(x_(d))), . . .,r_(e)(h_(e)(s_(e+1)(x₁), . . . ,s_(e+d)(x_(d)))).

The mapping h is thus encrypted with the key pairs (r₁, s₁), . . . ,(r_(e+d), s_(e+d)) using symbolic function composition. This results ina polynomial mapping:H(x ₁ , . . . , x _(d))=(H ₁(x ₁ , . . . , x _(d)), . . . , H _(e)(x ₁ ,. . . , x _(d))).where inputs with index in I are taken in encrypted form and decrypted,and other inputs are taken in plaintext form. The original computation his applied, and components in J are output in encrypted form, while therest are output as plaintext.

Decryption is not meant to be performed on encrypted polynomialmappings, only encrypted data. A datum x∈Z_(N) is encrypted by applyingr, giving y=r(x). Similarly, an encrypted datum y is decrypted byapplying s, giving x=s(y).

In particular, the expressions for the partial encryptions of Mealymachines will in general be in the form given in equation (6),duplicated below with the I index in the original equation replaced byL:(E _(r,s) ∘H) ({right arrow over (x)}(n+1), {right arrow over(z)}(n+1))=r ₁({tilde over (δ)}₁(S ₁(x ₁(n)), . . . ,s _(S)(x _(S)(n)),s_(2S+O+1)(y ₁(n)), . . . ,s _(2S+O+L)(y _(L)(n))), . . . , r _(S)({tildeover (δ)}_(S)(s ₁(x ₁(n)), . . . ,s _(S)(x _(S)(n)),s _(2S+O+1)(y ₁(n)),. . . ,s _(2S+O+L)(y _(L)(n))), r _(S+1)({right arrow over (λ)}₁(s ₁(x₁(n)), . . . ,s _(S)(x _(S)(n)),s _(2S+O+1)(y ₁(n)), . . . ,s_(2S+O+L)(y _(L)(n))), . . . , r _(S+O)({tilde over (λ)}₁(s ₁(x ₁(n)), .. . ,s _(S)(x _(S)(n)),s _(2S+O+1)(y ₁(n)), . . . ,s _(2S+O+L)(y_(L)(n)))).

In the above equation, the r_(i)s and s_(i)s are key pairs as above inthis sub-subsection, except that I and J may now contain indexespointing to components formally given in different vectors.

For a BSS′ machine, the resulting expression for the partially encryptedmachine is of the form given in equation (7), duplicated below with theI index in the original equation replaced by L:{right arrow over (x)}(n+1)=(E _(r,s) ∘H)({right arrow over (x)}(n))=r₁(H ₁(s ₁(x ₁(n)), . . . ,s _(1+S)(x _(1+S)(n)), s _(1+S+O+S+O+2)(x_(S+O+2)(n)), . . . ,s _(1+S+O+S+O+L+1)(x _(S+O+L+1)(n)), . . . , r_(1+S+O)(H _(1+S+O)(s ₁(x ₁(n)), . . . ,s _(1+S)(x _(1+S)(n)), s_(1+S+O+S+O+2)(x _(S+O+2)(n)), . . . ,s _(1+S+O+S+O+L+1)(x_(S+O+L+1)(n))))

In the above equation, the r_(i)s and s_(i)s are key pairs as describedabove.

In a method of re-encrypting polynomial mappings partially encryptedwith univariate polynomials, let f be a mapping with n functionalcomponents expressed as polynomials in m variables. Assume f ispartially encrypted using the key pairs (r₁, s₁), . . . , (r_(n+m),s_(n+m)), such that E_(r,s) ∘ f may be written in the form given inequation (5).

Re-encryption is achieved by:

-   -   1. generating a new set of key pairs (r₁′,s₁′), . . . ,        r_(n+m)′,s_(n+m)′) possibly subject to the same constraints of        the original encryption of f,    -   2. for every 1≦i≦n+m symbolically composing r_(i)′ with s_(i) to        generate r_(i)′(s_(i)(x)),    -   3. for every 1≦i≦n+m symbolically composing r_(i) with s_(i)′ to        generate r_(i)(s_(i)′(x)),    -   4. for every variable x_(i), n<i≦n+m, symbolically substituting        x_(i) with r_(i)(s_(i)′(x)), and    -   5. for every function component f_(i) , 1≦i≦n, symbolically        composing r_(i)′(s_(i)(x)) with r_(i)(f_(i)( . . . )).

The method of encryption of Mealy machines with permutations of Z_(N),defined using state transition mappings and output mappings, usesfunction tables to express the state transition mappings and theencryption and decryption functions. The method uses key pairs(r_(i),s_(i)) are permutations of Z_(N). The state transition mapping isδ′, and the output mapping is λ′.

This method can encrypt mappings of the form: (δ′,λ′):Z^(S+I)_(N)→Z^(S+O) _(N), with corresponding function table t_(h) effectivelyrepresenting a function: t_(h):Z_(N) _(S+I) →Z_(N) _(S+O) .

To simplify notation consider (δ′,λ′) as the mapping h(x₁, . . .,x_(d))=(h₁(x₁, . . . ,x_(d)), . . . ,h_(e)(x₁, . . . ,x_(d))), whered=S+I, and e=S+O. The actual order of the components of δ′ and λ′ in hmay vary from embodiment to embodiment. Prior to encryption, one mustdecide which x_(i) to decrypt. Let K⊂{e+1, . . . ,e+d} be this set. Inaddition, one must decide which mapping components to encrypt. Let J⊂{1,. . . ,e} be this set. All key pairs (r_(i),s_(i)) such that i∈K∪J arethen generated. Different pairs of keys may or may not be equal,depending on choices made by the user. Thus it is possible to haver_(i)=r_(j) and s_(i)=s_(j) for some i≠j. Key pairs (r_(i),s_(i)) suchthat i∉K∪J are meant to be identity mappings, and are left unused by themethod described here.

Key generation is done as with encryption using univariate polynomials.For each i∈K∪J do the following:

-   -   For every j from 0 to N−1 set s_(i)(j)=−1.    -   For every k from 0 to N−1:        -   Generate a random number j∈Z_(N) until s_(i)(j)=−1.        -   Set r_(i)(k)=j and s_(i)(j)=k.    -   Encryption is achieved as follows:    -   Reserve a temporary table t_(h)′ defining a function        t_(h)′:Z_(N) _(S+1) →Z_(N) _(S+O) .    -   Initialize a vector (x₁, . . . ,x_(d)) to (0, . . . ,0).    -   First do symbolic composition of the inputs assumed to be        encrypted with the relevant decryption functions (using function        tables). For every i from 0 to N^(d)−1 do:        -   Set k=0.        -   Partially decrypt (x₁, . . . ,x_(d)) by doing for every j            from d to 1:            -   if j+e∈K, then set y_(j)=s_(j+e)(x_(j)) otherwise set                y_(j)=x_(j)            -   Set k=kp+y_(j)        -   Set t_(h)′(k)=t_(h)(i).        -   Increment the vector x as if it were a number in base-N            representation.    -   The powers N¹, . . . ,N^(d−1) may optionally be precomputed at        this point, any previous point in this method, or may be read        from a table precomputed independently of this particular        method.    -   Second: symbolic composition of the outputs that are to be        encrypted with the relevant encryption functions (using function        tables). For every i from 0 to N^(d)−1 do:        -   Set k=t_(h)′(i).        -   Compute a vector (x₁, . . . ,x_(d)) from k.        -   For every j from d to 1 do:            -   if j∈J, then set y_(j)=r_(j)(x_(j)) otherwise set                y_(j)=x_(j)        -   Evaluate (y₁, . . . ,y_(d)) as digits of a number in base-N            representation to give the number m.        -   Set t_(h)′(i)=m.    -   Lastly, copy the function table of t_(h)′ to the function table        of t_(h).

Re-encryption is identical to the method for the direct polynomialrepresentations, except that all mappings are always represented asfunction tables:

-   1. Generate a new set of key pairs (r₁′,s₁′), . . .    ,(r_(n+m)′,s_(n+m)′), possibly subject to the same constraints    applied to the original encryption of h.-   2. For every 1≦i≦n+m symbolically composing r_(i)′ with s_(i) to    generate the function table for r_(i)′(s_(i)(x)).-   3. For every 1≦i≦n+m symbolically composing r_(i) with s_(i)′ to    generate the function table for r_(i)(s_(i)′(x)).-   4. For every variable x_(i) in h where n<i≦n+m, symbolically    substituting x_(i) with r_(i)(s_(i)′(x)).-   5. For every function component h_(i), 1≦i≦n, symbolically composing    r_(i)′(s_(i)(x)) with r_(i)(f_(i)( . . . )).

The method of encryption of polynomial mappings using multivariatepolynomials uses key triples (c_(i), r_(i), s_(i)) with the followingproperties:

-   -   1. c_(i) is an integer such that c_(i)≧1    -   2. r_(i) and s_(i) are bijections (permutations) from Z_(N) ^(c)        ^(i) to Z_(N) ^(c) ^(i) , where N is a prime number given by the        specification of the machine to be encrypted.    -   3. r_(i) and s_(i) are selected so they are non-linear.    -   4. Each component r_(i,j) of r_(i) and s_(i,j) of s_(i) is        expressed as a multivariate polynomial from Z_(N) ^(c) ^(i) into        Z_(N).

The mappings r_(i) are the encryption mappings, and are writtenr _(i)(x ₁ . . . , x _(c) _(i) )=(r _(i,1)(x ₁ , . . . , x _(c) _(i) ),. . . , r _(i,c) _(i) (x ₁ , . . . x _(c) _(i) ).The mappings s_(i) are the decryption mappings, and are writtens _(i)(x ₁ . . . , x _(c) _(i) )=(s _(i,1)(x ₁ , . . . , x _(c) _(i) ),. . . , s _(i,c) _(i) (x ₁ , . . . x _(c) _(i) )).

Different c_(i)s may be chosen to be equal such that for some i and somej≠i, c_(i)=c_(j). Furthermore, if c_(i)=c_(j) for some j≠i, then one maychoose to set r_(i)=r_(j) and s_(i)=s_(j). Also, r_(i) and s_(i) may ingeneral be set to the identity mapping (x₁, . . . ,x_(c) _(i) ) for oneor more i.

From the particular properties of the field Z_(N), it follows that r_(i)and s_(i) are always uniquely expressible as polynomials over Z_(N) withat most N^(c) ^(i) non-zero coefficients.

All apparatus for computations described below may or may not make useof precomputed tables for one or more of the following operations,dependent on what the most efficient means of computation for any givenoperational environment is:

-   -   addition modulo N    -   subtraction modulo N    -   incrementation modulo N    -   exponentiation modulo N    -   multiplication modulo N    -   multiplicative inversion modulo N

The number N is given by the specification of the mapping to beencrypted. It is assumed that the user has a source of random numbers(or pseudo-random numbers with period much greater than N^(N) ² . Theselection of block sizes c_(i) are specified by the user. When this isdone, the number of triples (c_(i), r_(i), s_(i)) to be generated isdependent on the number of function components and variables in theplaintext mapping.

In one embodiment of the present invention, next the coefficients of thefunctions${a_{k}(x)} = {\left( {\prod\limits_{{0 \leq j < N},{j \neq k}}\frac{x - j}{k - j}} \right)\quad{mod}\quad N}$are precomputed using an algorithm based on Horn polynomial evaluationand stored in a two-dimensional array a(k,j), where 0≦k<N gives thefunction subscript, and 0≦j<N the individual coefficient. In analternate embodiment, the coefficients are computed as needed.

The procedure then generates triples (c_(i), r_(i), s_(i)), for thosetriples not chosen to be the identity mappings, and those not copiedfrom previously generated triples (because they are chosen to be equal).

Accordingly, for each triple, select c_(i), and let R and S be arrays ofN^(c) ^(i) (c_(i)+1) numbers in Z_(N) indexed by two indexes: the firstfrom 0 to N^(c) ^(i) −1, the second from 0 to c_(i). Every element S(k,0) is initiated to the negative integer “−1”.

For every k such that 0≦k<N^(c) ^(i) , the following steps are executed:

-   -   1. A random number j∈Z_(N) _(c) _(i) is generated until S(j)=−1.    -   2. R(k, 0) is set equal to j and S(j, 0) is set equal to k.    -   3. The base-N representation of k is computed and stored in        S(j, 1) to S(j, c_(i)). This is the c_(i)-tuple or -vector,        which k represents. This will be used to symbolically compute        the polynomial mappings of s_(i).    -   4. The base-N representation of j is computed and stored in        R(k, 1) to R(k, c_(i)). This will be used to symbolically        compute the polynomial mappings of r_(i).        Let the polynomial f be given as        ${f\left( {l_{1},\ldots\quad,l_{c_{i}}} \right)} = {\sum\limits_{k = 0}^{c_{i} - 1}{N^{k}{l_{k + 1}.}}}$        f converts a base-N index vector with c_(i) components to one        index integer 0≦l<N^(c) ^(i) .

The encryption key r_(i)({right arrow over (x)}), which is a vector ofmultivariate polynomials is symbolically interpolated using the array Raccording to the expression:$\left. {{r_{i,j}\left( {x_{1},\ldots\quad,x_{c_{i}}} \right)} = {\sum\limits_{\overset{\rightarrow}{l} \in Z_{N}^{c_{i}}}{{a_{l_{1}}\left( x_{1} \right)}\quad\cdots\quad{a_{l_{c_{i}}}\left( x_{c_{i}} \right)}{R\left( {{f\left( \overset{\rightarrow}{l} \right)},j} \right)}}}} \right).$Similarly, the decryption key s_(i)({right arrow over (x)}) issymbolically interpolated using the array S according to the expression:$\left. {{s_{i,j}\left( {x_{1},\ldots\quad,x_{c_{i}}} \right)} = {\sum\limits_{\overset{\rightarrow}{l} \in Z_{N}^{c_{i}}}{{a_{l_{1}}\left( x_{1} \right)}\quad\cdots\quad{a_{l_{c_{i}}}\left( x_{c_{i}} \right)}{S\left( {{f\left( \overset{\rightarrow}{l} \right)},j} \right)}}}} \right).$

The process of encryption and decryption is ellaborated below. Assumingseries of triples (c₁, r₁, s₁), . . . ., (c_(k), r_(k), s_(k)), andletting h be a polynomial plaintext mappingh: Z_(N) ^(d)→Z_(N) ^(e),createsH(x ₁ , . . . , x _(d))=(H ₁(x ₁ , . . . , x _(d)), . . . , H _(e)(x ₁ ,. . . , x _(d))),

It is possible to partially encrypt h using the given series of keytriples, provided

-   1. there exists some l such that 1≦l<k and Σ_(j=1) ^(l) c_(i)=e,-   2. Σ_(j=l+1) ^(k) c_(i)=d,

As a convention, the function components of h are grouped in groups ofc₁, . . . , c_(l) components. That is: the first group contains c₁function components, the second c₂ components, etc. up to the l^(th)group, which contains the last c_(i) components of h. The j^(th) groupof function components may for brevity's sake be written v_(j) in thefollowing, where${v_{j} = \left( {h_{a + 1},\ldots\quad,h_{a + c_{j}}} \right)},{a = {\sum\limits_{b = 1}^{j - 1}{c_{b}.}}}$Similarly, the variables are grouped in groups of c_(l+1), . . . ,c_(k)variables, such that the first group contains c_(l+1) variables, thesecond c_(l+2) variables, and so on to the last group, which containsc_(k) variables. The j^(th) group of variables may for brevity's sake bewritten {right arrow over (w)}_(j) in the following.

Prior to encryption, one must decide which groups {right arrow over(w)}j of variables to decrypt. Let I⊂{l+1, . . . , k} be the set ofindexes of variable groups to decrypt. In addition, one must decidewhich groups v_(j) of function components to encrypt. Let J⊂{1, . . . ,l} be the set of indexes of function component groups to encrypt.

Encryption is then achieved by replacing each group of variables {rightarrow over (w)}_(j) where j+l ∈I by the mapping s_(l+j)({right arrowover (w)}_(j)), and each group of function components v_(j) where j∈Jwith r_(j)(v_(j)( . . . )) such that one composes r_(j) with v_(j)symbolically. The resulting expression will be:(r₁(v₁(s_(l+1)({right arrow over (w)}₁), . . . ,s_(k)({right arrow over(w)}_(k−l))), . . . ,r_(l)(v_(l)(s_(l+1)({right arrow over (w)}₁), . . .,s_(k)({right arrow over (w)}_(k−l)))),which, when written out, is:(r₁(h₁(s_(l+1)(x₁, . . . ,x_(c) _(l+1) ), . . . ,s_(k)(x_(d−c) _(k+1) ,. . . ,x_(d))), . . . , h_(c) ₁ (s_(l+1)(x₁, . . . ,x_(c) ₁ , . . .,s_(k)(x_(d−c) _(k+1) , . . . ,x_(d)))), . . . , (r_(l)(h_(c) _(l−1)(s_(l+1)(x₁, . . . ,x_(c) _(l+1) ), . . . ,s_(k)(x_(d−c) _(k+1) , . . .,x_(d))), . . . , h_(l)(s_(l+1)(x₁, . . . ,x_(c) ₁ ), . . .,s_(k)(x_(d−c) _(k+1) , . . . ,x_(d)))))

Inputs in a group whose indexes are in I are taken in encrypted form anddecrypted before use, while the other inputs are already in plaintextform. The original mapping is applied to the decrypted and plaintextinputs, before those components in a group whose index is in J areencrypted. The remaining components are output as plaintext.

Decryption is not meant to be performed on partially encryptedpolynomial mappings, only on encrypted data. A datum {right arrow over(w)}_(i)∈Z_(N) ^(c) ^(i) is encrypted by applying r_(i), giving {rightarrow over (y)}_(i)=r_(i)({right arrow over (w)}_(i)). Similarly, anencrypted datum {right arrow over (y)}_(i) is decrypted by applyings_(i), giving {right arrow over (w)}_(i)=s_(i)({right arrow over(y)}_(i)).

The partially encrypted state and output data after n applications of H(for the Mealy machine) is written({right arrow over (w)}₁(n), . . . ,{right arrow over (w)}_(k−l)(n)).

The general expression for a partially encrypted Mealy machine may bewritten as in equation (11), duplicated here:{right arrow over (x)}(n+1),{right arrow over (z)}(n+1))=(E _(r,s)∘H)({right arrow over (x)}(n),{right arrow over (y)}(n))=(r ₁({tildeover (δ)}₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s_(k)({right arrow over(w)}_(k−l)(n))), . . . , δ_(c) ₁ (s ₁({right arrow over (w)} ₁(n)), . .. ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over(w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n)))), . . . , (r _({overscore (i)})({tilde over (δ)}_(D−c)_({overscore (i)}) ₊₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n))), . . . , {tilde over (δ)}_(D)(s ₁({right arrow over (w)}₁(n)), . . . ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({rightarrow over (w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrowover (w)} _(k−l)(n))), r _({overscore (i)}+1)({tilde over (λ)}₁(s₁({right arrow over (w)} ₁(n)), . . . ,s _({overscore (i)})(n)),s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),. . . ,s _(k)({right arrow over (w)} _(k−l)(n))), . . . , {tilde over(λ)}_(c) _({overscore (i)}+1) (s ₁({right arrow over (w)} ₁(n)), . . .,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over(w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n)))), . . . , (r _(l)({tilde over (λ)}_(O−c) _(l) ₊₁(s ₁({rightarrow over (w)} ₁(n)), . . . ,s _({overscore (i)})(n)),s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),. . . ,s _(k)({right arrow over (w)} _(k−l)(n))), . . . , {tilde over(λ)}_(O)(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n)))))  (29)or as in equation (12), duplicated here:E_(r,s)({right arrow over (x)}(n+1),{right arrow over (z)}(n+1))=(E_(r,s) ∘H)({right arrow over (x)}(n),{right arrow over (y)}(n))=(r₁({tilde over (δ)}₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s_(k)({right arrow over(w)}_(k−l)(n))), . . . , δ_(c) ₁ (s ₁({right arrow over (w)} ₁(n)), . .. ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over(w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n)))), . . . , (r _({overscore (i)})({tilde over (δ)}_(D−c)_({overscore (i)}) ₊₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n))), . . . , {tilde over (δ)}_(S)(s ₁({right arrow over (w)}₁(n)), . . . ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({rightarrow over (w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrowover (w)} _(k−l)(n))), r _({overscore (i)}+1)({tilde over (λ)}₁(s₁({right arrow over (w)} ₁(n)), . . . ,s _({overscore (i)})(n)),s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),. . . ,s _(k)({right arrow over (w)} _(k−l)(n))), . . . , {tilde over(δ)}_(D−S)(s ₁({right arrow over (w)} ₁(n)), . . . ,s_(l+{overscore (i)}+1)({right arrow over (w)} _({overscore (i)}+1)(n)),s_(k)({right arrow over (w)} _(k−l)(n))), . . . , r _(l)({tilde over(λ)}_(O−c) _(l) ₊₁(s ₁({right arrow over (w)} ₁(n)), . . . ,s_({overscore (i)})(n)),s _(l+{overscore (i)}+1)({right arrow over (w)}_({overscore (i)}+1)(n)), . . . ,s _(k)({right arrow over (w)}_(k−l)(n))), . . . , {tilde over (λ)}_(O)(s ₁({right arrow over (w)}₁(n)), . . . ,s _({overscore (i)})(n)),s _(l+{overscore (i)}+1)({rightarrow over (w)} _({overscore (i)}+1)(n)), . . . ,s _(k)({right arrowover (w)} _(k−l)(n)))))  (30)

In both the above equations ĩ is such that D=Σ_(j=1) ^(r)c_(j)≧S, andD−c_(r)<S. The number of mapping components is S+O: S in the next-statemapping δ, and O in the output mapping λ. The first equation is for thecase where D=S, and the second for the case where D>S. The r_(i)s ands_(i)s are the encryption keys in the triples chosen during keygeneration.

For the BSS′ machines, the resulting expression resembles the aboveexpressions, but is slightly simpler. There is one variable vector{right arrow over (x)}(n) with 1+S+O+I components. H has 1+S+Ocomponents. As with the Mealy machine, the triples (c_(i), r_(i), s_(i))must equal (c_(l+i), r_(l+i),s_(l+i)) for 1≦i≦{right arrow over (i)},where ĩ is such that Σ_(j=1) ^(r) c_(j)≧1+S and Σ_(j=1) ^(r−1)c_(j)<1+S.Set D=Σ_(j=1) ^(r)c_(j). In any case, D may not exceed the number ofvariables, so in the case where there are more function components thanvariables, there may be function components free of such restrictionswhen deciding upon triples for encryption. The partially encrypted stateand output data after n applications of H is defined as({right arrow over (w)}_(l)(n), . . . ,{right arrow over (w)}_(k−l)(n)).The partially encrypted version of H for a modified BSS′ machine isdefined as equation (13).

It is also possible to re-encrypt polynomial mappings partiallyencrypted with multivariate polynomial mappings. Let f be a mapping withn functional components expressed as polynomials in m variables. Assumef is partially encrypted using the key triples (c₁, r₁, s₁), . . . ,(c_(k), r_(k), s_(k)), such that E_(r,s)∘f of may be written in the formgiven in equation (9). Note in particular that there are l groups/blocksof function components and k−l groups/blocks of variables.

Re-encryption is achieved by:

-   -   1. generating a new set of key triples (c₁, r₁′, s₁′), . . . .,        (c_(k), r_(k)′, s_(k)), such that block sizes are preserved,        possibly subject to the same constraints of the original        encryption of f,    -   2. for every 1≦i≦l symbolically composing r_(i) ^(/) with s_(i)        to generate r_(i) ^(/)(s_(i)( . . . )),    -   3. for every 1<i≦k symbolically composing r_(i) with s_(i) ^(/)        to generate r_(i)(s_(i) ^(/)( . . . )),    -   4. for every block of variables {right arrow over (w)}_(i),        l<i≦k, symbolically substituting {right arrow over (w)}_(i) with        r_(i)(s_(i) ^(/)({right arrow over (w)})), and    -   5. for every block of function components v_(i), 1≦i≦l,        symbolically composing r_(i) ^(/)(s_(i)( . . . )) with        r_(i)(f_(i)( . . . )).

Encryption of polynomial mappings using two-variable polynomials, is animportant special case of encryption using multivariate polynomials,where all c_(i)=2. The only differences between the general multivariatecase and the two-variable case will be in the way some of themathematical operations are implemented, as different algorithms areoptimal for different cases.

The method of encryption of Mealy machines represented using functiontables with permutations of Z_(N) _(c) for some c≧1, uses triples(c_(i),r_(i),s_(i)) with the following properties:

-   1. c_(i) is a positive integer.-   2. r_(i) and s_(i) are bijections (permutations) from Z_(N) ^(c)    ^(i) to Z_(N) ^(c) ^(i) expressed using function tables    t_(r,i):Z_(N) _(c) _(i)→Z_(N) _(c) _(i).-   3. r_(i) and s_(i) are selected such that they are non-linear.    The mappings r_(i) are the encryption mappings, and the s_(i) are    the corresponding decryption mappings.

Different c_(i)s may be chosen equal such that for some i and somej≠i,c_(i)=c_(j). Furthermore, if c_(i)=c_(j) for some j≠i, then one maychoose to set r_(i)=r_(j) and s_(i)=s_(j). Also, r_(i) and s_(i) may ingeneral set to the identity mapping (x₁, . . . ,x_(c) _(i) ) for one ormore i.

The number N is given by the augmented Mealy machine M. When generatingthe key triples, it is assumed that the user has a source ofpseudo-random numbers with period much greater than N^(m+n). For eachtriple (c_(i),r_(i),s_(i)) select c_(i) and let t_(r,i) and t_(s,i) befunction tables of r_(i) and s_(i), respectively. The tables t_(r,i) andt_(s,i) of N^(c) ^(i) numbers in Z_(N) ^(c) ^(i) are indexed from 0 toN^(c) ^(i) −1. Every element in t_(s,i) is set to −1.

For every k from 0 to N^(c) ^(i) −1 do:

-   -   A random number j∈Z_(N) _(c) _(i) is generated until S(j)=−1.    -   Set t_(r,i)(k)=j and t_(s,i)(j)=k.        When key generation is finished, there will be a series of        triples (c₁,r₁,s₁), . . . ,(c_(k),r_(k),s_(k)). This series of        triples can be used to encrypt mappings of the form:        (δ^(/),λ^(/))=h:Z_(N) ^(S+I)→Z_(N) ^(S+O), with corresponding        function table t_(h) effectively representing a function:        t_(h):Z_(N) _(s+1) →Z_(N) _(S+O) . The actual order of the        components of δ′ and λ′ in h may vary from embodiment to        embodiment. The mapping h is assumed to be on the form: (h₁(x₁,        . . . ,x_(d)), . . . ,h_(e)(x₁, . . . ,x_(d))), where d=S+I, and        e=S+O.

The generated key triples can partially encrypt t_(h), provided:

-   1. there exists some l such that 1≦l<k and    ${{\sum\limits_{j = 1}^{l}c_{i}} = e},$-    and ${2.\quad{\sum\limits_{j = {l + 1}}^{k}c_{i}}} = {d.}$

To simply notation denote the jth group of function componentsv_(j)=(h_(a+1), . . . ,h_(a+c) _(j) ), where$a = {\sum\limits_{b = 1}^{j - 1}{c_{b}.}}$Similarly, group the variables into groups of c_(l+1), . . . ,c_(k)variables, such that the jth group of variables is written: {right arrowover (w)}_(j)=(x_(a+1), . . . ,x_(a+c) _(j+1) ), where$a = {\sum\limits_{b = 1}^{j - 1}{c_{b + l}.}}$Prior to encryption, one must decide which groups {right arrow over(w)}_(j) of variables to decrypt. Let K⊂{l+1, . . . ,k} be the set ofindexes of variable groups to decrypt. In addition, one must decidewhich groups v_(j) of function components to encrypt. Let J⊂{1, . . .,l} be the set of indexes of function component groups to encrypt.

Encryption is achieved as follows:

-   -   Reserve a temporary table t_(h) ^(/) defining a function t_(h)        ^(/):Z_(N) _(d) →Z_(N) _(e) .    -   For every i from 1 to k set y_(i)=N^(c) ^(i) .    -   Set z₁=1.    -   For every i from 2 to l set z_(i)=y_(i−1)z_(i−1).        -   Set z_(l+1)=1.    -   For every i from l+2 to k set z_(i)=y_(i−1)z_(i−1).        -   Initialize a vector (b₁, . . . ,b_(k−l)) to (0, . . . ,0).            This vector represents the k−l variable blocks, in a base            N^(c) ^(i) representation. For each variable block i:            ${b_{i} = {\sum\limits_{j = 1}^{c_{i + l}}{N^{j - 1}x_{a + j}}}},$    -    where $a = {\sum\limits_{j = 1}^{i - 1}{c_{j + l}.}}$    -   Reserve a vector (b₁ ^(/), . . . ,b_(k−l) ^(/)).    -   For every i from 0 to N^(d)−1 do:        -   Set u=0.        -   For every j from k to l do:            -   if s_(j) is not the identity mapping set b_(j−l)                ^(/)=r_(j)(b_(j−l)) else set b_(j−l) ^(/)=b_(j−l).            -   Multiply u by y_(j).            -   Add b_(j−l) ^(/) to u        -   Set t_(h) ^(/)(i)=t_(h)(u).        -   Increment the vectorized index (b₁, . . . ,b_(k−l)), taking            into account the different sets from which the individual            components may be taken.    -   Reserve a vector (b₁, . . . ,b₁).    -   For every i from 0 to N^(d)−1 do:        -   Set u=t_(h) ^(/)(i).        -   Set q=0;        -   For every j from l to 1 to:            -   Set p to the integer result of u/z_(j).            -   Subtract pz_(j) from u to get the remainder.            -   Set b_(j)=u.            -   if r_(j) is not the identity mapping set                b_(j)=r_(j)(b_(j))            -   Add z_(j)b_(j) to q.        -   Set t_(h) ^(/)(i)=q.    -   Lastly, copy the function table of t_(h) ^(/) to the function        table of t_(h).

Decryption is not meant to be performed on partially encrypted functiontables, only on encrypted data. A datum {right arrow over (w)}_(i)∈Z_(N)^(c) ^(i) is encrypted by applying t_(r,i+l) to the evaluation of thepolynomial N^(c) ^(l+i+1) x_(a+c) _(l+i) + . . . +N¹x_(a+2)+x_(a+1),where $a = {\sum\limits_{j = 1}^{i - 1}{c_{l + j}.}}$

It is also possible to re-encrypt function tables partially encryptedwith key triples (c_(i),r_(i),s_(i)). Let h be a mapping over Z_(N) withn functional components and m variables expressed as a function tablet_(h):Z_(N) _(m) →Z_(N) _(n) . Assume that h is partially encryptedusing the key triples (c₁,r₁,s₁), . . . ,(c₁,r₁,s₁). Take the first l ofthese to be triples applied to function components (although this mayvary from embodiment to embodiment) and last k−l to be triples appliedto variables.

Re-encryption is achieved by:

-   1. generating a new set of key triples (c₁,r₁ ^(/),s₁ ^(/)), . . .    ,(c_(k),r_(k) ^(/),s_(k) ^(/)) such that block sizes are preserved,    possibly subject to the same constraints of h′s original encryption;-   2. for every 1≦i≦l symbolically composing r_(i) ^(/) with s_(i)    using their function table representations to generate a new    function table representation for r_(i) ^(/)(s_(i)(v));-   3. for every 1<i\1eq k symbolically composing r_(i) with s_(i) ^(/)    using their function table representations to generate a new    function table representation for r_(i)(s_(i) ^(/)({right arrow over    (w)}));-   4. for every block of variables {right arrow over (w)}_(i), l<i≦k    symbolically substituting {right arrow over (w)}_(i) with r_(i)    ^(/)(s_(i)({right arrow over (w)})) using the already available    function tables; and    -   5. for every block of function components v_(i), 1≦i≦l,        symbolically composing r_(i) ^(/)(s_(i)( . . . )) with        r_(i)(h_(i)( . . . )) using the already available function        tables.

As described above, Turning Platform is a device supporting polynomialand encrypted polynomial computations. In order for the polynomialrepresentation of Mealy machines, and BSS′ machines to be of significantusefulness, proper host support is required. If a host is referred to as“O”, then a Turing platform T includes:

-   -   a very simple, slightly modified Turing machine with unbounded,        linearly addressed storage, each storage unit being called a        cell; and with a so-called finite control with position in the        storage    -   an output register writeable by the finite control, which holds        one storage unit    -   an input register readable by the finite control, which holds        one storage unit, and one of three possible movement directions        (left, stand still, right)    -   an output register writeable by O, which is part of the input of        the supported state machine    -   an input register readable by O, which is part of the output of        the supported state machine

A complete computation step for a Mealy machine or BSS′ machine Msupported by a Turing platform proceeds according to the followingsteps:

-   -   1. T reads the cell at which its finite control is placed    -   2. T writes the cell to the input of M    -   3. O writes to the input of M    -   4. M computes the next state    -   5. M computes output and writes it to the input of T    -   6. M computes output and writes it to the input of O.    -   7. M computes the direction of movement, and writes it to T    -   8. T reads from its input register    -   9. T writes the input to the cell    -   10. T moves left, right, or stands still, if possible.

Note that the inputs to the Min points 2 and 3 above are supplied todifferent components of the same input vector. Similarly, all generatedoutputs mentioned in points 5, 6, and 7 are extracted from differentparts of M's output vector. The computation halts either when M outputsa predetermined “halting” signal to the host via its designatedoutput-to-host, or when the host detects that M is stuck in one state,is outputting only a “B” to the writeable register, and is not movingthe finite control of the Turing platform about.

Use of a Turing platform to support the computations of Mealy and BSS′machines allows them to do completely general computations if necessary,effectively making them equivalent to Turing machines in computationalpower.

A register machine is constructed to enable more efficient use ofcryptographically enhanced machine representations. Differentembodiments of the register machine are possible and two distinct typesare discussed below. Different embodiments may further be combined toprovide register machines with different capabilities.

Embodiment 1: Allows random memory access, but does not allow universalTuring computation. This type of register machine consists of thefollowing:

-   2. A set P={{right arrow over (P)}_((i) ₁ _(, . . . , i) _(d)    _()} of vectors of integers in Z) _(N) ^(d) indexed by vectors also    in Z_(N) ^(d). Each {right arrow over (P)}_({right arrow over (i)})    can be thought of as an instruction.-   3. Either a vector S indicating the end of the program in P, or a    constant T, which functions as an instruction indicating that the    computation is finished.-   4. A vector {right arrow over (C)}∈Z_(N) ^(d), which functions as an    instruction pointer.-   5. A set S={{right arrow over (S)}_(i) ₁ _(, . . . , i) _(d) ₎} of    vectors of integers in Z_(N) ^(d) indexed by vectors also in Z_(N)    ^(d). Each {right arrow over (S)}_(i) is a storage “cell”.-   6. A vector {right arrow over (D)}∈Z_(N) ^(d), which functions as a    storage pointer.-   7. One or more registers ({right arrow over (R)}₁, . . . ,{right    arrow over (R)}_(m)) of vectors of integers in Z_(N) ^(d) for 0<m≦N.-   8. The next instruction pointer mapping f({right arrow over (R)}₁, .    . . ,{right arrow over (R)}_(m),{right arrow over    (P)}_({right arrow over (C)}), {right arrow over    (S)}_({right arrow over (D)}), {right arrow over (C)},{right arrow    over (D)}):Z_(N) ^(d(m+4))→Z_(N) ^(d).-   9. The next storage pointer mapping g({right arrow over (R)}₁, . . .    ,{right arrow over (R)}_(m),{right arrow over    (P)}_({right arrow over (C)}),{right arrow over    (S)}_({right arrow over (D)}), {right arrow over (C)},{right arrow    over (D)}): Z_(N) ^(d(m+4))→Z_(N) ^(d).-   10. A specification of the registers that accept input from the host    platform.-   11. The register transition mapping h({right arrow over (R)}₁, . . .    ,{right arrow over (R)}_(m),{right arrow over    (P)}_({right arrow over (C)}),{right arrow over    (S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow    over (D)}):Z_(N) ^(d(m+4))→Z_(N) ^(kd), where k, 0≦k≦m, is the    number of registers not accepting input from the host platform.-   12. The storage transition mapping q({right arrow over (R)}₁, . . .    ,{right arrow over (R)}_(m),{right arrow over    (P)}_({right arrow over (C)}),{right arrow over    (S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow    over (D)}):Z_(N) ^(d(m+4))→Z_(N) ^(d).    This type of register machine can accept input from its host    platform in one or more of the following ways:    -   through one or more registers,    -   through one or more selected “cells” in the storage space,    -   through the initial contents of the storage space,    -   through the initial contents of the instruction vectors.        In the case where one or more registers are used, the register        transition mapping is adjusted so that it does not alter the        contents of the registers accepting input from the host        platform. The register machine may come with a list of registers        and storage locations that function as outputs to the host        platform.

A computation with this type of register machine is initialized with thefollowing steps:

-   17. The initial values of {right arrow over (R)}₁, . . . ,{right    arrow over (R)}_(m),{right arrow over (C)},{right arrow over (D)}    are given. Initial values for one or more storage cells {right arrow    over (S)}_({right arrow over (D)}) in S may also be given.-   18. All the elements in P are given.-   19. Compute {right arrow over (P)}_({right arrow over (C)}) and    {right arrow over (S)}_({right arrow over (D)}).    The computation step of this type of register machine consists of    the following steps:-   20. Compute the next instruction pointer: {right arrow over    (C)}^(/)=f({right arrow over (R)}₁, . . . ,{right arrow over    (R)}_(m),{right arrow over (P)}_({right arrow over (C)}),{right    arrow over (S)}_({right arrow over (D)}),{right arrow over    (C)},{right arrow over (D)})-   21. Compute the next storage pointer: {right arrow over    (D)}^(/)=g({right arrow over (R)}₁, . . . ,{right arrow over    (R)}_(m),{right arrow over (P)}_({right arrow over (C)}),{right    arrow over (S)}_({right arrow over (D)}),{right arrow over    (C)},{right arrow over (D)}).-   22. Compute the value to be written to the current storage cell:    {right arrow over (S)}^(/)=q({right arrow over (R)}₁, . . . ,{right    arrow over (R)}_(m), {right arrow over    (P)}_({right arrow over (C)}),{right arrow over    (S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow    over (D)}).-   23. Compute the register transition mapping: ({right arrow over    (R)}_(j) ₁ , . . . ,{right arrow over (R)}_(j) _(k) )=h({right arrow    over (R)}₁, . . . ,{right arrow over (R)}_(m),{right arrow over    (P)}_({right arrow over (C)}),{right arrow over    (S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow    over (D)}), where j₁, . . . ,j_(k) specify the registers which the    register machine may change.-   24. Set {right arrow over (S)}_({right arrow over (D)})={right arrow    over (S)}^(/),{right arrow over (C)}={right arrow over (C)}^(/), and    {right arrow over (D)}={right arrow over (D)}^(/).-   25. Compute {right arrow over (P)}_({right arrow over (C)}) and    {right arrow over (S)}_({right arrow over (D)}).    The computation is considered to be ended when the instruction    pointer takes on the “end-of-program” value, or when a specified    “stop” instruction is encountered, depending on the embodiment.

This type of register machine may be implemented using either apolynomial or function table representations of the mappings f, g, q,and h. These mappings are multivariate mappings over a finite ring ofintegers, and may thus be encrypted using any of the previouslydescribed methods of encryption. During use, there are no requirementsas to when the host platform changes registers accepting input, and norequirements as to when the host platform reads from designated “output”registers/storage cells. This allows computational work to be minimized.

Embodiment 2: Extends the capabilities of the above register machine,allowing universal (Turing) computation. This type of register machineconsists of the same elements as embodiment 1, but has in addition thefollowing:

-   26. The specification of a register dedicated to output of movement    direction, in the form of an integer y such that 0<y≦m, and an    integer z such that 0<z≦d. The integer y indicates the register, and    the integer z, the component in which this movement is stored.-   27. The specification of a register dedicated as output to a Turing    platform.-   28. The specification of a register dedicated as input from a Turing    platform.-   29. A Turing platform, where each storage unit is a vector in Z_(N)    ^(d).

The computation for this second embodiment of a register machine isidentical to the first, except that there is a requirement that the hostnow also do a Turing platform computation step using the specifiedregisters.

These register machines are amenable to method of encryption similar tothose previously described. This method is difficult to implement withthe previously mentioned Mealy-machine and BSS′-machine variants.

Encryption of register machines uses multivariate mappings. The mappingsof the register machine and the mappings used for encryption, may berepresented either with polynomials or with function tables. If themappings are represented using polynomials, N must be a prime number. Ifthe mappings are represented using function tables, N only needs to bebig enough to accommodate the abstract machine on which the mappings arebased. The encryption technique used is similar to those previouslydiscussed, in that it uses symbolic functional composition to encryptthe mappings used to express the register machine. The difference isthat every element read from a register or storage cell is encryptedwith a key specific to each register or storage cell. Thus encryptionand decryption functions take register number or storage cell indexvector as addition parameters. The encryption function for any registernumber i is r_(i)({right arrow over (R)}_(i)). The decryption functionfor any register number i is s_(i)({right arrow over (R)}_(i)). Theencryption function for any storage cell indexed by {right arrow over(D)} is v({right arrow over (S)}_({right arrow over (D)}),{right arrowover (D)}). The decryption function for any storage cell indexed by{right arrow over (D)} is u({right arrow over(S)}_({right arrow over (D)}),{right arrow over (D)}).

Prior to encryption, the user selects a subset I⊂S of storage cells tobe encrypted. The user also selects a subset J⊂{1, . . . ,m} ofregisters to encrypt. In one further generalization of this embodiment,it is possible to select storage cells and registers that are decryptedwhen used as arguments in the mappings f, g, h, and q, but not encryptedwhen being written to. In such a further generalization, it is alsopossible to select storage cells and registers that are read asplaintext, but are encrypted when written to.

The pair (r_(n),s_(n)) for a given n is generated as follows:

-   1. Two tables are defined, V and U, each with N^(d)×m elements.-   2. Set every U(i,j)=−1 for all (i,j) such that 0≦i<N^(d)−1 and j∈J.-   3. Set every U(i,j)=V(i,j)=i for all (i,j) such that 0≦N^(d)−1 and    j∉J.-   4. For every j from 1 to m do the following if j∈J:    -   a. For every i from 0 to N^(d)−1 do:        -   i. Select a random b from 0 to N^(d)−1 until U(b,j)=−1.        -   ii. Set U(b,j)=i and V(i,j)=b.            If r_(i) and s_(i) are represented as polynomials, r_(i) is            interpolated using the elements of V converted to d-vectors,            and s_(i) is interpolated using the elements of U converted            to d-vectors. If r_(i) is represented as a function table,            the function table of r_(i) containing lumped-together            arguments and mapping values is set equal to V. Similarly,            if s_(i) is represented as a function table, the function            table of s_(i) containing lumped-together arguments and            mapping values is set equal to U.

The pair (v,u) is generated as follows:

-   5. Two tables are defined, V and U, each with N^(d)×|S| elements,    where |S| is the number of elements in S.-   6. Set every U(i,j)=−1 for all (i,j) such that 0≦i<N^(d)−1 and j∈I.-   7. Set every U(i,j)=V(i,j)=i for all (i,j) such that 0≦i<N^(d)1 and    j⊂I.-   8. For every j from 1 to |S| do if j∈I:    -   a. For every i from 0 to N^(d)−1 do:        -   i. Select a random b from 0 to N^(d)−1 until U(b,j)=−1.        -   ii. Set U(b,j)=i and V(i,j)=b.            If v and u are represented as polynomials, v is interpolated            using the elements of V converted to d-vectors, and u is            interpolated using the elements of U converted to d-vectors.            If v is represented using its function table, the table for            v with lumped-together arguments and mapping values is set            equal to V. Similarly, if u is represented using its            function table, the table for u with lumped-together            arguments and mapping values is set equal to U.

Both of the register machine embodiments can be encrypted in the sameway. Encryption proceeds as follows:

-   9. Generate the key pair (v,u), where v,u:Z_(N) ^(2d)→Z_(N) ^(d).-   10. Generate the key pairs (r_(i),s_(i)), where r_(i),s_(i):Z_(N)    ^(d)→Z_(N) ^(d).-   11. In the mappings f, g, h, and q, for each i∈J, symbolically    substitute {right arrow over (R)}_(i) with s({right arrow over    (R)}_(i),i).-   12. In the mappings f, g, h, and q, symbolically substitute S with    u({right arrow over (S)},{right arrow over (D)}).-   13. Symbolically compose h with v, giving v(h( . . . ),{right arrow    over (D)}).-   14. Symbolically compose q with v, giving v(q( . . . ),{right arrow    over (D)}).    Due to the parametrization, a more general type of multivariate    encryption is required: parametrized multivariate encryption. The    mappings of the register machine may be combined to a mapping    H({right arrow over (R)}₁, . . . ,{right arrow over (R)}_(m),{right    arrow over (P)}_({right arrow over (C)}),{right arrow over    (S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow    over (D)}) where the above six conditions merely lay restrictions on    the use of parametrized encryption, so that the partially encrypted    machine has a chance of working.

Parametrized multivariate encryption is done using key quadruples(c_(i),g_(i),r_(i),s_(i)) applied to groups of variables and mappingcomponents as for multivariate encryption. This operation can be appliedto any mapping: h:Z_(N) ^(d)→Z_(N) ^(e). If the encryption is to beapplied when h is a polynomial mapping, N must be a prime number. Thenumber of variables or mapping components grouped together in the i^(th)group is c_(i). There are in all k groups, of which the first l coverthe mapping components, and the remaining k−l groups the variables. Itis a requirement that ${{\sum\limits_{i = 1}^{l}c_{i}} = e},$and also a requirement that${\sum\limits_{i = {l + 1}}^{k}c_{i}} = {d.}$The set J⊂{1, . . . ,l} specifies the component groups of h that are tobe encrypted irrespective of whether that encryption is parametrized ornon-parametrized. The set I⊂{l+1, . . . ,k} specifies the variablegroups of h that are to be decrypted irrespective of whether thatdecryption is parametrized or non-parametrized.

The number g_(i) either gives the index of a group of variables {rightarrow over (w)}_(i−l) (thus being such that l<g_(i)≦k), or is some othervalue greater than k or less than l (−1 is recommended, if possible),indicating that no such group is referenced. If g_(i) references a groupof variables, that group of variables will be used to parametrize eitherthe encryption of the group (if it is a group of mapping components), orthe decryption of the group (if it is a group of variables).

Whenever g_(i) references a group of variables or mapping components,the encryption and decryption keys are mappings on the form:r_(i),s_(i):Z_(N) ^(c) ^(i) ^(+c) ^(gi) →Z_(N) ^(c) ^(i) . Wheneverg_(i) does not reference any group, the encryption and decryption keysare mappings on the form: r_(i),s_(i):Z_(N) ^(c) ^(i) →Z_(N) ^(c) ^(i) .

The resulting encryption algorithm is illustrated for the function tablerepresentation by the method “ParamEncrypt” given in the file“CompTable.java” in the source code appendix. The algorithm is verysimilar to that for multivariate encryption.

-   -   Reserve a temporary table t_(h) ^(/) defining a function t_(h)        ^(/):Z_(N) _(d) →Z_(N) _(e) .    -   For every i from 1 to k set y_(i)=N^(c) ^(i) .    -   Set z₁=1.    -   For every i from 2 to l set z_(i)=y_(i−1)z_(i−1).        -   Set z_(l+1)=1.    -   For every i from l+2 to k set z_(i)=y_(i−1)Z_(i−1).        -   Initialize a vector (b₁, . . . ,b_(k−l)) to (0, . . . ,0).            This vector represents the k−l variable blocks, in a base            N^(c) _(i) representation. For each variable block i:            ${b_{i} = {\sum\limits_{j = 1}^{c_{i + l}}{N^{j - 1}x_{a + j}}}},$        -    where $a = {\sum\limits_{j = 1}^{i - 1}{c_{j + l}.}}$    -   Reserve a vector (b₁ ^(/), . . . ,b_(k−l) ^(/)).    -   For every i from 0 to N^(d)−1 do:        -   Set u=0.        -   For every j from k to l do:            -   if s_(j) is not the identity mapping:            -   A. if l<g_(j)≦k                -   A. Set m=y_(g) _(j) b_(j−l)+b_(g) _(j−l)                -   B. Set b_(j−l) ^(/)=r_(j)(m)            -   B. otherwise set b_(j−l) ^(/)=r_(j)(b_(j−l))        -   A. otherwise set b_(j−l) ^(/)=b_(j−l).        -   B. Multiply u by y_(j).        -   C. Add b_(j−l) ^(/) to u        -   Set t_(h) ^(/)(u)=t_(h)(i).        -   Increment the vectorized index (b₁, . . . ,b_(k−l)), taking            into account the different sets from which the individual            components may be taken.    -   Reserve a vector (b₁, . . . ,b_(l)).    -   Initialize a vector (b₁ ^(/), . . . ,b_(k−l) ^(/))    -   For every i from 0 to N^(d)−1 do:        -   Set u=t_(h) ^(/)(i).        -   Set q=0;        -   For every j from l to 1 to:        -   A. Set p to the integer result of u/z_(j).        -   B. Subtract pz_(j) from u to get the remainder.        -   C. Set b_(j)=u.        -   D. if r_(j) is not the identity mapping            -   A. if l<g_(j)≦k                -   A. Set m=y_(g) _(j) b_(j)+b_(g) _(j−l) ^(/)                -   B. Set b_(j)=r_(j)(m)        -   E. otherwise set b_(j)=r_(j)(b_(j))        -   F. Add z_(j)b_(j) to q.        -   Set t_(h) ^(/)(i)=q.        -   Increment the vectorized index (b₁ ^(/), . . . ,b_(k−l)            ^(/)), taking into account the different sets from which the            individual components may be taken.    -   Lastly, copy the function table of t_(h) ^(/) to the function        table of t_(h).

Additional more applied and less theoretical examples are provided belowwith reference to FIGS. 5A-73. An exemplary transition diagram with itscorresponding inputs, states, and outputs is illustrated in FIG. 5A. Theuppermost state “0” (sometimes referred to as “node ‘0’”) has threepossible inputs (i.e., 0, 1 and 2), which cause transitions to states 1,2, and 0, respectively while outputting symbols 1, 2 and 2,respectively. The corresponding pairs of inputs and outputs are shown inthe form input/output, and the state to which the state machine moves asa result of the input is shown by the directional arc (sometimes comingback to the original state). A corresponding function table isillustrated in FIG. 5B with the new states and outputs being shown inparentheses (i.e., in the form (δ,λ)).

As can be seen, the transition diagram does not include any dedicatedstate q_(a) that can be used as a stopping state such that an outsideobserver would know that the calculation has ended, simply by looking atthe current state of the machine. Accordingly, such a dedicated state isadded so that the machine can signal the end of its computation (toitself and outside observers).

Conversely, as shown in the transition diagram of FIG. 5C, a node/state3 is already isolated and may be used as a dedicated state q_(a). (Inthat exemplary embodiment, when a “1.” is input in state “2”, thetransition is undefined.) Such a state machine includes a function tablerepresentation as shown in FIG. 5D (including a corresponding undefinedentry).

Continuing with the example of FIG. 5A, by adding a dedicated stateq_(a), and its corresponding arcs for each defined input, the transitiondiagram of FIG. 6 is created. Such a diagram can be written equivalentlyas the function table of FIG. 6B in which the dedicated state and thedesignated output symbol (indicating that the designated state has beenentered) are written generically as q_(a) and B, respectively. Thisaddition creates, from an existing domain D, an augmented domain D′given by:D′={(0,0), (0,1), (0,2), (0,B), (1,0), (1,1), (1,2), (1,B), (2,0),(2,1), (2,2), (2,B), (q_(a),0), (q_(a),1), (q_(a),2), (q_(a),B)}.

Similarly, the example of FIG. 5C can be augmented to include arcscorresponding to designated the isolated node 3 as the dedicated stateq_(a), thereby forming the diagram of FIG. 6C and its equivalentfunction table in FIG. 6D. In light of the fact that the transition isundefined when in state “2” and a “1” is received, the augmented domaincorresponding to FIG. 6D is given by:D′={(0,0), (0,1), (0,2), (0,B), (1,0), (1,1), (1,2), (1,B), (2,0),(2,1), (2,2), (2,B), (3,0), (3,1), (3,2), (3,B)}.

As seen in FIG. 7, various vectorizations are possible for the sameoriginal input, output and state spaces. In the vectorization examplewhere N≧4, if N is not a prime number, the vectorization should only beused when using function table representations for encryption andcomputation. Preferably a user's selection of components/vectorizationsis maintained between specification and use without the systemattempting to perform a remapping.

As seen in FIGS. 8A-8C, the determination of an exemplary prime numberis provided for each of the three illustrated cases of N. Generally, ifa polynomial representation is used for FIGS. 8A-8C, N should be a primenumber.

Continuing with the example of FIG. 7B, a prime number, 3, is used and avectorization corresponding to N=3d is selected in which: Σ′={(0,0),(0,1), (0,2), (1,0)}, Q′={(0,0), (0,1), (0,2), (1,0)}, and Δ′={(0,0),(0,1), (0,2), (1,0)}, such that the table of FIG. 9A can be created byadding dummy states until Q′ contains N²=9 states. That is, startingwith the originally defined 4 states, 9-4=5 rows (i.e., 5 nodes/states)are added to FIG. 9A, each with their own corresponding 4 entries perrow. This initially leaves undefined all the entries corresponding tothe newly added states, as shown in the bottom of FIG. 9A.

Similarly, having increased the number of states, the number of inputsymbols and output symbols are adjusted correspondingly. Adding dummyinput symbols until Σ′ contains 3²=9 symbols gives Σ′={(0,0), (0,1),(0,2), (1,0), (1,1), (1,2), (2,0), (2,1), (2,2)}. Corresponding dummysymbols can also be added to Δ′ to create Δ′={(0,0), (0,1), (0,2),(1,0), (1,1), (1,2), (2,0), (2,1), (2,2)}. Each of the undefined entries(including the previously undefined entry corresponding to input (0,1)and state (0,2)) can be filled in with a specified value (e.g.,((1,0),(1,0)) to create the table of FIG. 9B.

As an alternative to the approach of FIG. 9B, each of the undefinedentries that would have otherwise been filled in with a common value caninstead be filled in with domain-specific random values. For example,for each entry illustrated in FIG. 10, each “*” can be replaced with aseparately selected random number from 0 to 2 (inclusive). This fillingout of values randomly includes the previously undefined entrycorresponding to input (0,1) and state (0,2).

As an alternative to generating entries individually, rows of definedentries can be copied for undefined rows. For example, using thevectorization of FIG. 8B, an initial set of entries is generated asshown in FIG. 11A. A non-dedicated row (i.e., a row other than row(1,0)) is selected (e.g., row (0,1)) and used as the source for fillingin values in the first undefined row (i.e., row (1,1)).

Equivalently, the first isolated node (1,1) in the graph of FIG. 11C isselected. The transitions corresponding to node (0,1) are repeated fornode (1,1), thereby creating the graph of FIG. 11D. The copyingprocesses of FIGS. 11B and 11D are repeated until all the rowscorresponding to the newly created output variables are filled in.

In addition to the random row copying process that created the functiontable of FIG. 11B (and which is repeated as FIG. 12A), transitions fromthe state being copied (q) to itself (q) can randomly be set to point toeither q or q′ (the copied version of q). For example, after row (0,1)is copied to row (1,1) as shown in FIG. 12A, the (0,1) entry of row(0,1) can be modified to point to the corresponding (0,1) entry in thenewly copied row (1,1). Similarly, transitions in row (1,1) only couldhave been changed, as could transitions in both rows (0,1) and (1,1) forentries corresponding to entries that point back to themselves within anoriginal row. Equivalent changes are shown in FIGS. 12C and 12D.

Again returning to the function table of FIG. 11B (which is repeated asFIG. 13A), an existing function table can be modified to switch thelabels assigned to any pair of nodes without the loss of generality. Forexample, state (0,1) can be switched with state (1,0), and in thegraphical representation of FIG. 12C would simply require a relabelingof the graph. However, the function table format results in a remappingas shown in FIG. 13B.

FIG. 14A illustrates the process of interchanging input symbols usingthe function table of FIG. 13B. By interchanging the columns of inputs(0,2) and (1,0), the function table of FIG. 14A is transformed into thefunction table of FIG. 14B. (Note that although Σ′=Σ, other mappings arepossible such that the interchange is really a specification of a newinput symbol.) Certain other criteria must also be examined, however, toensure that such an interchange is acceptable. The first criterion isthat, if a Mealy machine is to read its own output at some later stage(as is supported by Turing machines), every interchange of input symbolsmust be accompanied by a corresponding interchange of output symbols.Using the example of FIG. 14A, it would also be necessary to switch the(0,2) and (1,0) output symbols.

According to the second criterion, any interchange of input symbols mustbe recorded and stored locally, otherwise the rightful user of themachine may not be able to use it in a meaningful way. Inputspecifications provided to other parties must also be adjustedaccordingly.

Nonetheless, the third criterion (which acts as an anti-criterion) isthat if the interchanges are only done in the dummy symbols, changes donot affect the computation and can be ignored.

Similar to the process of FIGS. 14A and 14B (and with the samecriteria), output symbols can be exchanged in an analogous fashion asshown in FIGS. 15A and 15B. (Note that although Δ′=Δ, other mappings arepossible such that the interchange is really a specification of a newoutput symbol.) By interchanging the (0,2) and (1,0) output symbols, thefunction table of FIG. 15A becomes 15B.

FIGS. 16A and 16B illustrate a method of transforming state transitionand output mappings of an augmented Mealy machine to polynomialmappings. In the illustrated example, generally states have twocomponents x₁,x₂, and inputs have two components x₃,x₄ such that theoutput mapping has two components λ′₁(x₁, x₂, x₃, x₄) and λ′₂(x₁, x₂,x₃, x₄). Thus, the state transition mapping of the augmented machine hastwo components: δ′₁(x₁, x₂, x₃, x₄) and δ′₂(x₁, x₂, x₃, x₄). Generallyeach polynomial interpolation of a mapping component may be visualizedas exemplified in FIG. 16B, although FIG. 16B is not intended to bedrawn to scale. Thus, the interpolation for any given component is onlyguaranteed to exist if all components (be they in state, input, oroutput vectors) can be selected from the set of integers modulo some N,such that (a) N is greater than any possible individual component valueas given by the state transition table and (b) N is a prime number.

FIG. 17 illustrates a method of precomputing the a_(i)(x) functions;given by:${{a_{i}(x)} = {\left( {\prod\limits_{\underset{i \neq k}{k \in K}}\frac{x - k}{i - k}} \right)\quad{mod}\quad N}},$such that each a_(i)(x) is symbolically constructed only once for thespecified set. Those results are represented by their respective arraysof coefficients and can be used to decrease calculation time spentduring computation.

FIG. 18 illustrates a BSS machine to be modified into a BSS′ machineunder various conditions according to the present invention. Nodenumbering can be adjusted using the illustrated technique to beginnumbering nodes at zero. Having generated a BSS machine according toFIG. 18, the input and output mappings are converted, and a computationmapping g_(i) is added to every node that doesn't have one, as shown inFIG. 19. FIG. 20A illustrates a BSS machine resulting from thecalculations of FIG. 19. It may, however, be easier to create anequivalent BSS′ machine from scratch, such as the five node machineillustrated in FIG. 20B.

As shown in FIG. 21, the method of transforming a BSS′ machine into asingle polynomial mapping includes expressing a set membership relation∈K as a polynomial. The result of symbolically multiplying together(x−i)^((N−1)), for every i∉K, modulo N is called b_(k). (Note that zerocannot be a member of K.) Since all K_(i,j) are disjoint, theirintersections are empty. Moreover, Δ(i,x) is symbolically calculatedaccording to:Δ(i,x)=b _(K) _(i,1) (x)n _(i,1) + . . . +b _(K) _(i,ji) (x)n _(i,j)_(i) +(1−b _(K) _(i) (x))n ^(//),where b_(K) _(i,j) is the polynomial expression for evaluating the setinclusion relation. The next node function, expressed as a polynomial,combines all the Δ(i,x) according to the a_(i)(x) functions using thedomain definition:${{\beta\left( {n,x} \right)} = {\sum\limits_{i = 0}^{p}{{a_{i}(n)}{\Delta\left( {i,x} \right)}}}},$where p is the number of nodes and N is the size of the field. Thecomputation mappings are similarly combined to produce the computingendomorphism:$\left( {{\beta\left( {n,x_{1}} \right)},{\sum\limits_{i = 0}^{p}{{a_{i}(n)}{g_{i}\left( \overset{\rightarrow}{x} \right)}}}} \right).$

FIGS. 22A-22C illustrate three consecutive steps in generating keys forunivariate encryption of multivariate polynomial mappings. First theelements to be encrypted and decrypted are selected by a user.Generally, elements selected by the user to be encrypted (from withinthe first “e” elements) are placed in the set J, and variables fromelements “e+1” to “e+d” that are selected for decryption are held in setI. To save unnecessary computation, components not in J and variablesnot in I remain untouched. Keys are only generated in a sufficientnumber for those components/variables actually affected. The definitionof f gives the prime number used in generating key pairs. Key generationbegins with the two arrays in FIG. 22A. After one step of the keygeneration process, the arrays may take on an exemplary form shown inFIG. 22B. After a second step, the exemplary embodiment is shown in FIG.22C.

FIG. 23 illustrates an interpolated polynomial (given by the array R)that is used to compute a permutation according to one aspect of thepresent invention. The inverse is computed in a similar manner using thearray S.

In order to save time (and component complexity), according to oneembodiment of the present invention, a number of arithmetic operationsare pre-computed. As shown in FIGS. 24A and 24B, it is possible tocompute the multiplication and exponentiation of numbers and store theresult in a look-up table for later (quick) reference.

As shown in FIG. 25A, a mapping d can be encrypted into a form h. Whenencrypting plural variables and mapping components of multivariatepolynomials with univariate polynomials, it is possible to utilizeconstraints on pairs of keys. For example, using a set of functioncomponents and variables as shown in FIG. 25B, it is possible to add aconstraint that key pairs 1 and e+1 must be identical. Then, as shown inFIG. 25C, selected variables i (from set I) are then decrypted bysymbolically composing them with corresponding inverse permutationss_(e+i). Then function components j (from set J) are encrypted bysymbolically composing them with the corresponding permutations r_(j).Generally the result of s_(e+i) and r_(j) yields the resultant partiallyencrypted h, E_(r,s)∘h.

FIG. 26A illustrates a partially encrypted E_(r,s)∘h (produced as aresult of FIG. 25C) to be used as a starting point in a process ofre-encrypting plural variables and mapping components of multivariatepolynomials with second univariate polynomials. That partially encryptedresult undergoes the process of symbolically re-encrypting pluralvariables and mapping components of multivariate polynomials with secondunivariate polynomials as shown in FIG. 26B. Thus, the originalencryption in reversed and a new encryption is applied with a new set ofkeys.

FIG. 26C illustrates a result of the re-encrypting process of FIG. 26B.Accordingly, a new E_(r′,s′)∘h is created which is the same mappingpartially encrypted with key pairs (r₁′, s₁′) . . . (r_(e+d′),s_(e+d)′)instead of with (r₁, s₁) . . . (r_(e+d),s_(e+d)).

FIGS. 27A and 28A illustrate function tables for f(x₁,x₂) and g(x₁,x₂),respectively that can be used in a symbolic composition of g(f({rightarrow over (x)})). Generally, the composition of t_(f) from FIG. 28B andt_(g) from FIG. 28C create the table t_(fg) as shown in FIG. 28D.Alternatively, the composition process is shown schematically in FIG.28E.

Again assuming a mapping as shown in FIG. 25A, function componentsselected for encryption are stored in the set J and variables stored fordecryption are stored in the set I. As was mentioned in the descriptionof FIG. 22A, to save unnecessary computation, components not in J andvariables not in I remain untouched (as is possible in all similar keygeneration phases). Having started with the arrays of FIG. 29A, a firstkey generation step os performed, creating an exemplary representationshown in FIG. 29B. Subsequent interpolation of each R/S pair isperformed similarly to the interpolation of FIG. 23.

As with the process of FIG. 25C, FIG. 30 illustrates decrypting selectedgroups of variables, i, encrypting selected groups of components, j, andcreating a partially encrypted result h, E_(r,s)∘h. However, the processof FIG. 30 utilizes multivariate polynomials instead of the univariatepolynomials of FIG. 25. In such a case, rather than key pairs beingidentical for elements 1 and e+1, key triples are identical instead.

Similar to the starting point, process and result of FIGS. 26A, 26B, and26C, respectively, FIGS. 31A, 31B, and 31C illustrate the startingpoint, process and result of re-encrypting plural variables and mappingcomponents of multivariate polynomials. However, in FIGS. 31A, 31B, and31C, second multivariate polynomials are used in the process.Accordingly, by using key triples, a new E_(r′,s′)∘h is created which isthe same mapping partially encrypted with key triples (c₁,r₁′, s₁′) . .. (c_(k), r_(k)′,s_(k)′) instead of with (c₁, r₁, s₁) . . . (c_(k),r_(k),s_(k)).

FIGS. 37A-38C illustrate a method of symbolic composition of twomappings using function tables. For the illustrated composition,e(1,1)=4, e(1,2)=3, e(2,1)=1, and e(2,2)=3. Thus, f′s 2 component will“disappear” in the composition and not be used at all. The resultingcomposition, f(h₁(x₄,x₃), h₂(x₁,x₃)) is given by g(x₁,x₃,x₄). FIG. 37Dillustrates an example of computing a composition for an entry(x₁,x₃,x₄)=(0,1,0).

Similarly, according to FIGS. 38A and 38B, a composition g is given byg(x₁,x₂,x₃,x₄)=(h₁(f₁({right arrow over (x)}),f₃({right arrow over(x)})), h₂(f₂({right arrow over (x)}))). As a result, for e′(1,1)=1,e′(1,2)=3, e′(2,1)=2, and e′(2,2)=3, an exemplary composition for(x₁,x₂,x₃,x₄)=(0,1,1,1) is illustrated in FIG. 38D.

FIG. 40 illustrates a method of parameterized encryption of pluralvariables and mapping components of multivariate mappings withmultivariate mappings. Three selection processes occur: (1) groups ofvariables to be decrypted are selected in either a parameterized or anon-parameterized manner; (2) groups of variables are selected asparameters; and (3) groups of components to be encrypted are selected ineither a parameterized or a non-parameterized manner. In such anembodiment, key quadruples are used.

As referenced by 4001, the inverse permutation s_(i) is symbolicallyapplied to the group of variables, i, selected for non-parameterizeddecryption. Similarly, at 4002, the inverse permutation, S_(i), indexedby variable block g_(i) is symbolically applied to the group ofvariables, i, selected for parameterized decryption.

At 4003, selected groups of components, j, are encrypted by symbolicallycomposing them with the corresponding permutations r_(j). At 4004,selected groups of components, j, are parametrically encrypted bysymbolically composing them with the corresponding permutations r_(j),indexed by variable block g_(j). The result is a partiallyparametrically encrypted h, E_(r,s)∘h.

Attached hereto as part of the specification is a source code appendixof Java code. Such code is provided as an exemplary embodiment ofcertain routines related to the present invention and may needmodification for certain environments. Such source code is not intendedto limit the scope of protection afforded by the claims attached hereto.

Obviously, numerous modifications and variations of the presentinvention are possible in light of the above teachings. It is thereforeto be understood that, within the scope of the appended claims, theinvention may be practiced otherwise than as specifically describedherein.

1. A method creating an augmented Mealy machine from a Mealy machinehaving an input space Σ, a state space Q and an output space Δ, themethod comprising the steps of: A. selecting as a state q_(a) one of(A1) a dedicated output stopping state from the state space θ that isnot reachable from any other state in Q such that Q′=Q and (A2) anadditional stopping state not in θ if no dedicated output stopping stateexists in Q such that Q′=Q∪{q_(a)}; B. setting Δ′=Δ and adding adedicated blank symbol B to Δ′ only if Δ does not already contain adedicated blank symbol B; C. modifying the state-transition mapping δ toδ such that the augmented Mealy machine always remains in q_(a) onceq_(a) is entered; D. modifying the output mapping λ to λ′ such that theaugmented Mealy machine always outputs B once q_(a) is entered; and E.modifying a domain D of the state-transition mapping.
 2. The method asclaimed in claim 1, further comprising the steps of: F. selecting aninteger N′ based on the size of the state, input, and an output spaces;G. selecting a number N, no less than N′; and H. determining avectorization of input, state, and output spaces resulting in vectorsover Z_(N), wherein N is prime if the Mealy machine is represented usingpolynomials.
 3. The method as claimed in claim 2, further comprising thesteps of: F. adding dummy states until Q′ contains a number of statesdetermined by a vectorization of the state space using N; G. addingdummy input symbols until Σ contains a number of symbols determined bythe vectorization of the input space using N; H. adding dummy outputsymbols until Δ′ contains a number of symbols determined by thevectorization of the output space using N; I. for each pair (q, σ)∉D′,setting δ′(q, σ)=q_(a) and λ′(q, σ)=B.
 4. The method as claimed in claim2, further comprising the steps of: F. adding states until Q′ contains anumber of states determined by the vectorization of the state spaceusing N according to the sub-steps of: i. selecting a random q∈Q(alternatively in the current Q′−{q_(a)}), ii. adding a state q′ to Q′,iii. for every σ∈Σ setting δ′(q′, σ)=δ′(q, σ) and λ′(q′, σ)=λ′(q, σ),iv. optionally also for every pair (q, σ)∈Q′×Σ, such that δ′(q, σ)=q,randomly setting δ′(q, σ) to be one of q and q′ and randomly settingδ′(q′, σ) to be one of q and q′; G. modifying D to D′ to reflect theaddition of the new definitions; H. adding dummy input symbols to Σ′until it contains a number of symbols determined by the vectorization ofthe input space using N; I. adding dummy output symbols to Δ′ until itcontains a number of symbols determined by the vectorization of theoutput space using N; J. for each pair (q, σ)∉D′, setting δ′(q, σ) to arandom q′∈Q′ and setting λ′(q,σ) to a random symbol from Δ′.
 5. Themethod as claimed in claim 2, further comprising the steps of: F. addingdummy states until Q′ contains a number of states determined by thevectorization of the state space using N; G. adding dummy input symbolsuntil Σ′ contains a number of symbols determined by the vectorization ofthe input space using N; H. adding dummy output symbols until Δ′contains a number of symbols determined by the vectorization of theoutput space using N; I. for each pair (q,σ)∈D′, setting δ′(q, σ) to arandom q′∈Q′, setting λ′(q,σ) to a random output symbol in Δ′.
 6. Themethod as claimed in claim 1, further comprising the step of: F.interchanging states at random, and adjusting δ′ and λ′ accordingly; G.interchanging symbols in the extended input alphabet Σ′, and adjustingδ′ and λ′ accordingly; and H. interchanging symbols in the extendedoutput alphabet Δ′, and adjusting δ′ and λ′ accordingly.
 7. A method oftransforming state-transition and output mappings of an augmented Mealymachine to polynomial mappings, the method comprising the steps of:computing interpolations of δ′ and λ′ from the state-transition andoutput mappings; and performing polynomial interpolation of the originalstate-transition and output mappings.
 8. The method as claimed in claim7, further comprising the step of pre-computing coefficients of a_(i)(x)functions, wherein the step of performing polynomial interpolation ofthe original mappings uses the pre-computed coefficients of the a_(i)(x)functions.
 9. A method of converting a Blum-Shub-Smale machine to a BSS′machine, comprising: A. selecting an integer N such that: (1) N is atleast as large as the number of nodes, (2) N is greater thanuser-specified constants used in defining the Blum-Shub-Smale machine,(3) N is a prime number; B. restricting a ring R to only integer fieldsof a form Z_(N); C. restricting computation mappings to only polynomialmappings; D. providing a new node-numbering convention; E. changingcomparisons in branch nodes to set membership relations of the form ∈K,where k⊂(Z_(N)−{0}); F. revising a definition of a full state space toinclude a current node number, an internal state space, and output andinput spaces to produce a revised full state space; G. restrictingcomputation mappings, g_(n), to an identity mapping for input componentsof a revised full state vector; H. restricting all computation mappings,g_(n), such that no output components in the full state vector may beused in further computation; I. requiring that at least one computationmapping uses at least one input vector component; J. requiring that allhalting nodes generate output; and K. restricting node to (1)computation nodes, which may contain at least one of computations andbranches, and (2) halting nodes.
 10. A method of specifying a BSS′machine, comprising the steps of: A. specifying a set of nodes; B.specifying computation mappings for each node; C. specifying a next-nodefunction β, along with set membership relations; D. selecting an integerN such that: (1) N is at least as great as a number of nodes, (2) N isgreater than user-specified constants used in defining a correspondingBlum-Shub-Smale machine, and (3) N is a prime number; and E. specifyinga vectorization of the state, input, and output spaces.
 11. The methodas claimed in claim 9, further comprising at least one of the steps of:listing explicitly the halting nodes of the BSS′ machine; and explicitlyspecifying an output symbol B as a halting signal.
 12. The method asclaimed in claim 10, further comprising at least one of the steps of:listing explicitly the halting nodes of the BSS′ machine; and explicitlyspecifying an output symbol B as a halting signal.
 13. A method oftransforming a BSS′ machine to a multivariate polynomial mapping,comprising the steps of: A. acquiring a specification of a BSS′ machine;B. expressing a set membership relation ∈K, K⊂(Z_(N)−{0}), as apolynomial; C. expressing a next-node function β as a polynomial; and D.expressing a complete computing endomorphism H as a multivariatepolynomial mapping.
 14. A method of transforming a BSS′ machine to amapping represented as a function table, comprising the steps of: A.selecting a specification of a BSS′ machine if no single multivariatepolynomial computing endomorphism H is given; B. selecting amultivariate polynomial mapping H for the BSS′ machine; C. convertingstate and input vectors, both with base-N components, to a baseN^(1+S+I) number X, where 1+S+I is a total number of components in thestate and input vectors, wherein the state vector includes a nodenumber; D. converting the output of the computing endomorphism H withbase-N components, to a base N^(1+S+O) number F, where 1+S+O is thetotal number of components in the output of H; E. inserting F into theX^(th) entry in the function table; and F. repeating steps (C)-(E) forall possible state vector/input vector combinations.
 15. A method ofcomputing with a BSS′ machine transformed to a multivariate mappingcomprising the steps of: A. initializing the BSS′ machine; B. applyingthe multivariate mapping to the full state space vector; C. checking ifthe machine has halted, and ending computation if the machine hashalted; and D. repeating steps (B) and (C) if the machine has nothalted.
 16. The method as claimed in claim 15, wherein the step ofapplying further comprises at least one of (1) reading the output vectorproduced by the machine and (2) changing the input vector of themachine.
 17. The method as claimed in claim 15, wherein the step ofinitializing comprises the sub-steps of (1) specifying a node number;(2) specifying a remaining initial state vector; and (3) specifying aninitial input vector.
 18. A method of specifying a pattern of encryptionof multivariate mappings with univariate mappings comprising the stepsof: A. specifying a number d of variables of the multivariate mapping;B. specifying a number e of mapping components of the multivariatemapping; C. selecting variables to be used in encrypted form; D.selecting mapping components to be encrypted; and E. selecting equalityrestrictions to be placed on components in the key pairs.
 19. A methodof generating keys for univariate encryption of multivariate mappings,comprising the steps of: A. determining a key representation; B.acquiring a specified pattern of encryption; C. determining a number ofkey pairs to be generated from an acquired pattern of encryption; and D.permuting elements of field Z_(N) while simultaneously recording datafor the permutation and its inverse in two arrays R and S once for eachunique key pair generated.
 20. The method as claimed in claim 19,wherein the multivariate mappings to be encrypted are expressed usingpolynomials, further comprising the step of computing the permutationand its inverse by interpolation, using a_(i)(x); once for each uniquekey pair that is to be generated.
 21. The method as claimed in claim 19,wherein the multivariate mappings to be encrypted are expressed usingpolynomials, further comprising the steps of: precomputing arithmeticoperations over the field Z_(N); and precomputing coefficients offunctions a_(i)(x), wherein the step of computing the permutation andits inverse by interpolation uses the precomputed coefficients offunctions a_(i)(x) and the precomputed arithmetic operations.
 22. Themethod as claimed in claim 19, wherein the steps of determining a numberof key pairs further comprises the step of restricting possible keysaccording to a user input.
 23. The method as claimed in claim 19,further comprising the step of setting keys in the key pairs, that areneither to encrypt nor decrypt, to the identity mapping. 24-25.(canceled)
 26. A method of generating re-encryption keys forre-encryption of plural variables and mapping components of multivariatemappings, already partially encrypted with first univariate functions,with second univariate functions, comprising the steps of: A.determining a representation for the re-encryption; B. acquiring keypairs corresponding to the first univariate functions; C. generating anew set of key pairs (r₁′,s₁′), . . . , (r_(n+m)′,s_(n+m)′); D.symbolically composing r_(i)′, with s_(i) for 1≦i≦n; and E. symbolicallycomposing r_(i) with s_(i)′ for n<i≦n+m.
 27. The method as claimed inclaim 26, further comprising the step of acquiring a pattern ofencryption used for the first univariate functions, wherein the step ofgenerating comprises generating the new set of key pairs based on theacquired pattern.
 28. A method of re-encryption of plural variables andmapping components of multivariate mappings already partially encryptedwith first univariate functions with second univariate functions,comprising the steps of: A. determine a representation forre-encryption; B. symbolically substituting the i^(th) variable x_(i−n)with r_(i)(s_(i)′(x_(i−n))) for all n<i≦n+m; and C. symbolicallycomposing r_(i)′(s_(i)(x)) with the i^(th) function component f_(i) forall 1≦i≦n.
 29. The method as claimed in claim 28, further comprising thestep of acquiring a corresponding set of pairs of re-encryption keys,wherein the step symbolically composing comprises composing using theacquired keys.
 30. A method of converting a mapping t:Z_(N) ^(m)→Z_(N)^(n), given as a function table, into a function t′:Z_(N) _(m) →Z_(N)_(n) , also given as a function table, comprising the steps of: A.computing X=N^(m−1)x_(m)+ . . . +N¹x₂+x₁ for a vector (x₁, . . . ,x_(m))∈Z_(N) ^(m); B. computing F=N^(n−1)f_(n)+ . . . +N¹f₂+f₁ for anentry (f₁, . . . f_(n)) corresponding to (x₁, . . . ,x_(m)); C. settingt′(X)=F; and D. repeating for all (x₁, . . . , x_(m))∈Z_(N) ^(m).
 31. Amethod of converting a function t: Z_(N) _(m) →Z_(N) _(n) , given as afunction table, into a function t′: Z_(N) ^(m)→Z_(N) ^(n), also given asa function table, comprising the steps of: A. computing X=N^(m−1)x_(m)+. . . +N¹x₂+x₁ B. reducing t(X) to a base-N representation, such thatt(X) is represented by a tuple (f₁, . . . , f_(n)); C. setting the tuplein t′, indexed by (x₁, . . . , x_(m)) to (f₁, . . . , f_(n)); and D.repeating for all (x₁, . . . , x_(m))∈Z_(N) ^(m).
 32. A method ofsymbolically composing mappings f:Z_(N) ^(m)→Z_(N) ^(n) and g:Z_(N)^(n)→Z_(N) ^(o) represented as function tables to produce the functiontable for g(f(x)), comprising the steps of: A. generating a new functiont_(f):Z_(N) _(m) →Z_(N) _(n) represented by a function table, whereevery mapping value (f₁, . . . ,f_(n)) corresponding to a (x₁, . . . ,x_(m)) is placed in entry number X=N^(m−1)x_(m)+ . . . +N¹x₂+x₁ as thenumber F=N^(n−1)f_(n)+ . . . +N¹f₂+f₁; B. generating a new functiont_(g):Z_(N) _(m) →Z_(N) _(n) represented by a function table, whereevery mapping value (f₁, . . . , f_(n)) corresponding to a (x₁, . . . ,x_(m)) is placed in entry number X=N^(m−1)x_(m)+ . . . +N¹x₂+x₁ as thenumber F=N^(n−1)f_(n)+ . . . +N¹f₂+f₁; and C. for each X from 0 toN^(m)−1 setting t_(gf)(X)=t_(g)(t_(f)(X)), where t_(gf) is a functiontable for a function t_(gf):Z_(N) _(m) →Z_(N) _(n) .
 33. A method ofspecifying a pattern of encryption of multivariate mappings with othermultivariate mappings comprising the steps of: A. selecting a number ofmapping components c_(i) to be grouped together, c_(i)≧1 for in all lsuccessive groups of components, covering all components in a mappingonly once; B. selecting a number of variables c_(i) to be groupedtogether, c_(i)≧1, for in all k−l successive groups of variables,covering all variables in a mapping only once; C. selecting groups ofcomponents to be encrypted; D. selecting groups of variables to be usedin encrypted form; and E. selecting equality restrictions to be placedon components in the key triples. 34-39. (canceled)
 40. A method ofgenerating re-encryption keys for re-encryption of plural variables andmapping components of multivariate mappings already partially encryptedwith first multivariate mappings with second multivariate mappingscomprising the steps of: A. determining a representation for keys; B.acquiring key triples used with the first multivariate mappings; C.generating a new set of key triples (c₁′,r₁′,s₁′), . . . ,(c_(k)′,r_(k)′,s_(k)′); D. symbolically composing r_(i)′ with s_(i) for1≦i≦l; and E. symbolically composing r_(i) with s_(i)′ for l<i≦k. 41.The method as claimed in claim 40, wherein the multivariate mappingscomprise one of polynomials and function tables.
 42. A method ofre-encrypting plural variables and mapping components of multivariatemappings already partially encrypted with first multivariate mappingswith second multivariate mappings, the method comprising the steps of:A. determining a representation for the re-encryption; B. acquiring keytriples used for the encryption using the first multivariate mappings;C. symbolically substituting an i−l^(th) variable block {right arrowover (w)}_(i−l) with r_(i)(s_(i)′({right arrow over (w)}_(i−l))), forall l<i≦k; and D. symbolically composing r_(i)′(s_(i)({right arrow over(w)})) with an i^(th) function component block {right arrow over(v)}_(i) for all 1≦i≦l.
 43. A method of symbolically composing mappingsf:Z_(N) ^(m)→Z_(N) ^(n) and h₁, . . . , h_(k):Z_(N) ^(c) ^(i) →Z_(N)^(c) ^(i) , represented as function tables, to produce the functiontable for f(h₁(x₁, . . . , x_(c) _(i) ), h₂(x_(c) _(i) ₊₁, . . . ,x_(c)_(i) _(+c) ₂ ), . . . ,h_(k)(x_(m−c) _(k) ₊₁, . . . ,x_(m))), comprisingthe steps of: A. acquiring a specification for the c_(i) such that${{\sum\limits_{i = 1}^{k}c_{i}} = m};$ B. generating a new functiont_(f):Z_(N) _(m) →Z_(N) _(n) represented by a function table, whereevery mapping value (f₁, . . . , f_(n)) corresponding to a (x₁, . . . ,x_(m)) is placed in entry number X=N^(m−1)x_(m)+ . . . +N¹x₂+x₁ as thenumber F=N^(n−1)f_(n)+ . . . +N¹f₂+f₁; C. for each i generating a newfunction t_(h,i):Z_(N) _(c) _(i)→Z_(N) _(c) _(i) represented by afunction table where every mapping value (h_(i,1), . . . , h_(i,c) _(i)) corresponding to a (x_(a+1), . . . , x_(a+c) _(i) ), where$a = {\sum\limits_{j = 1}^{i - 1}c_{i}}$ is placed in entry numberX=N^(c) ⁻¹x_(a+c) _(i) + . . . +N¹x_(a+2)+x_(a+1) as the number H=N^(c)^(i) ⁻¹h_(i,c) _(i) + . . . +N¹h_(i,2)+h_(i,1). D. initializing a newfunction table for a function t_(fh):Z_(N) _(m) →Z_(N) _(m) ; E. forevery i from 1 to k setting y_(i)=N^(c) ^(i) ; F. for every i from 0 toN^(m)−1: i. setting u=0; ii. for every j from k to 1 settingu=y_(j)u+t_(fh)(b_(j)); iii. setting t_(fh)(i)=t_(f)(u); and iv.incrementing the vectorized index (b₁, . . . , b_(k)), taking intoaccount that b₁ is in base y₁, b₂ is in base y₂, . . . ,b_(k) is in basey_(k).
 44. A method of symbolically composing mappings f:Z_(N)^(m)→Z_(N) ^(n) and h₁, . . . , h_(k):Z_(N) ^(c) ^(i) →Z_(N) ^(c) ^(i)represented as function tables to produce the function table for(h₁(f₁(x₁, . . . ,x_(m)), . . . ,f_(c) ₁ (x₁, . . . ,x_(m))), . . .,h_(k)(f_(n−c) _(k) ₊₁(x₁, . . . ,x_(m)), . . . ,f_(n)(x₁, . . . ,x_(m)))), comprising the steps of: A. acquiring a specification for thec_(i) such that ${{\sum\limits_{i = 1}^{k}c_{i}} = n};$ B. generating anew function t_(f):Z_(N) _(m) →Z_(N) _(n) represented by a functiontable, where every mapping value (f₁, . . . ,f_(n)) corresponding to a(x₁, . . . , x_(m)) is placed in entry number X=N^(m−1)x_(m)+ . . .+N¹x₂+x₁ as the number F=N^(n−1)f_(n)+ . . . +N¹f₂+f₁; C. for each igenerating a new function t_(h,i):Z_(N) _(c) _(i)→Z_(N) _(c) _(i)represented by a function table where every mapping value (h_(i,1), . .. ,h_(i,c) _(i) ) corresponding to a (f_(a+1), . . . ,f_(a+c) _(i) ),where ${a = {\sum\limits_{j = 1}^{i - 1}c_{i}}},$ is placed in entrynumber X=N^(c) ^(i) ⁻¹f_(a+c) _(i) + . . . +N¹f_(a+2)+f_(a+1) as thenumber H=N^(c) ⁻¹ h_(i,c) _(i) + . . . +N¹h_(i,2)+h_(i,1); D.initializing a new function table for a function t_(hf):Z_(N) _(m)→Z_(N) _(m) ; E. setting y₀=1, y₁=1; F. for every i from 2 to k settingy_(i)=y_(i−1)N^(c) _(i) ⁻¹; G. initializing a vector (b₁, . . . ,b_(k))to (0, . . . ,0); H. for every i from 0 to N^(n)−1: i. settingu=t_(f)(i); ii. setting q=0; iii. for every j from k to 1: a. setting pto the integer result of u/y_(j); b. setting u=u−py_(j) to get theremainder; c. setting p to the integer result of u/y_(j−1); d. settingb_(j)=t_(h,j)(p); e. adding y_(j)b_(j) to q; and iv. settingt_(hf)(i)=q.
 45. A Turing platform, supporting unencrypted and partiallyencrypted polynomial computation for some machine M, on a host O,comprising: A. a Turing machine; B. a register writeable by a finitecontrol of the Turing machine and readable by M; C. a register readableby the finite control of the Turing machine and writeable by M; D. aregister writeable by the host O; and E. a register readable by the hostO.
 46. A method of computing with host O running a Turing platform Tsupporting at least one of a Mealy or BSS′ machine M, comprising: A.initializing the machine; B. initialize the Turing platform; C. reading,by T, a storage cell at which its finite control is located; D. writing,by T, a contents of the storage cell to a register readable by M; E.writing, by O, to a remaining input of M; F. executing, by O, onecomputation step for M; G. writing, by O, some output of M to part ofthe register readable by T; H. writing, by O, M′s computed direction ofmovement for the finite control of T to a remainder of register readableby T; I. writing, by O, a rest of the output of M to the host O. J.reading, by T, from the readable register of T; K. writing, by T, a newcell value to storage; L. moving the finite control of T one of left,right, and not at all; M. checking by O to see if a halting conditionhas occurred; and N. repeating steps (C)-(M).
 47. The apparatus of aregister machine, comprising: A. a set P={{right arrow over (P)}_((i) ₁, . . . ,i_(d))} of vectors of integers in Z_(N) ^(d) indexed by vectorsalso in Z_(N) ^(d); B. either a vector S indicating the end of theprogram in P, or a constant T, which functions as an instructionindicating that the computation is finished; C. a vector {right arrowover (C)}∈Z_(N) ^(d) functioning as instruction pointer; D. a setS={{right arrow over (S)}_(i) ₁ _(, . . . ,i) _(d) ₎} of vectors ofintegers in Z_(N) ^(d) indexed by vectors also in Z_(N) ^(d); E. avector {right arrow over (D)}∈Z_(N) ^(d) functioning as storage pointer;F. at least one register ({right arrow over (R)}₁, . . . ,{right arrowover (R)}_(m)) of vectors of integers in Z_(N) ^(d) for 0<m≦N; G. a nextinstruction pointer mapping f({right arrow over (R)}₁, . . . ,{rightarrow over (R)}_(m),{right arrow over(P)}_({right arrow over (C)}),{right arrow over(S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow over(D)}):Z_(N) ^(d(m+4))→Z_(N) ^(d); H. a next storage pointer mappingg({right arrow over (R)}₁, . . . ,{right arrow over (R)}_(m),{rightarrow over (P)}_({right arrow over (C)}),{right arrow over(S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow over(D)}):Z_(N) ^(d(m+4))F→Z_(N) ^(d); I. a specification of the registersthat accept input from the host platform; J. a number k of registers notaccepting input from the host platform, such that 0≦k≦m; K. a registertransition mapping h({right arrow over (R)}₁, . . . ,{right arrow over(R)}_(m), {right arrow over (P)}_({right arrow over (C)}),{right arrowover (S)}_({right arrow over (D)}),{right arrow over (C)},{right arrowover (D)}):Z_(N) ^(d(m+4))→Z_(N) ^(kd); L. a storage transition mappingq({right arrow over (R)}₁, . . . ,{right arrow over (R)}_(m),{rightarrow over (P)}_({right arrow over (C)}),{right arrow over(S)}_({right arrow over (D)}),{right arrow over (S)}_(D),{right arrowover (C)},{right arrow over (D)}):Z_(N) ^(d(m+4))→Z_(N) ^(d); M. aspecification for initializing P and S; and N. a specification for whereinput is entered, including: through at least one register, through atleast one storage space S, through an initial contents of an instructionspace P, or through an initial contents of the at least storage space S.48. A method of initializing a register machine comprising the steps of:A. specifying initial values of {right arrow over (R)}₁, . . . ,{rightarrow over (R)}_(m),{right arrow over (C)},{right arrow over (D)}; B.optionally specifying values for at least one storage cell {right arrowover (S)}_({right arrow over (D)}) in S; C. specifying elements in P;and D. computing values of {right arrow over(P)}_({right arrow over (C)}) and {right arrow over(S)}_({right arrow over (D)}.)
 49. A method of using a register machine,comprising the steps of: A. initializing the register machine; B.computing a next instruction pointer: {right arrow over (C)}′=f({rightarrow over (R)}₁, . . . ,{right arrow over (R)}_(m),{right arrow over(P)}_({right arrow over (C)}),{right arrow over(S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow over(D)}); C. computing a next storage pointer: {right arrow over(D)}′=g({right arrow over (R)}₁ . . . ,{right arrow over (R)}_(m),{rightarrow over (P)}{right arrow over (C)},{right arrow over(S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow over(D)}); D. computing a value to be written to a current storage cell:{right arrow over (S)}′=q({right arrow over (R)}₁, . . . ,{right arrowover (R)}_(m),{right arrow over (P)}_({right arrow over (C)}),{rightarrow over (S)}_({right arrow over (D)}),{right arrow over (C)},{rightarrow over (D)}); E. computing the register transition mapping: ({rightarrow over (R)}_(j), . . . ,{right arrow over (R)}_(j) _(k) )=h({rightarrow over (R)}₁, . . . ,{right arrow over (R)}_(m), {right arrow over(P)}_({right arrow over (C)}),{right arrow over(S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow over(D)}), where j_(i), . . . ,j_(k) specify the registers which theregister machine may change; F. setting {right arrow over(S)}_({right arrow over (D)})={right arrow over (S)}′, {right arrow over(C)}={right arrow over (C)}′, and {right arrow over (D)}={right arrowover (D)}′; G. computing {right arrow over (P)}_({right arrow over (C)})and {right arrow over (S)}_({right arrow over (D)}) using input from ahost; and H. repeating steps (B)-(G) until a halting condition issatisfied.
 50. The method as claimed in claim 48, further comprising: I.specifying a register dedicated to output of movement direction, usingan integer y such that 0<y≦m, and an integer z such that 0<z≦d; J.specifying a register dedicated as output to a Turing platform; and K.specifying a register dedicated as input from a Turing platform, whereineach storage unit is a vector in Z_(N) ^(d).
 51. A method of using aregister machine M on a host O comprising the steps of: A. initializinga register machine; B. initializing a Turing platform; C. reading, by T,a storage cell at which its finite control is located; D. writing, by T,a contents of the storage cell to a specified register of M; E. writing,by O, to a remaining specified input registers of M; F. computing thenext instruction pointer: {right arrow over (C)}′=f ({right arrow over(R)}₁, . . . ,{right arrow over (R)}_(m),{right arrow over(P)}_({right arrow over (C)}),{right arrow over(S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow over(D)}); G. computing the next storage pointer: {right arrow over(D)}′=g({right arrow over (R)}₁, . . . ,{right arrow over(R)}_(m),{right arrow over (P)}_({right arrow over (C)}),{right arrowover (S)}_({right arrow over (D)}),{right arrow over (C)},{right arrowover (D)}); H. computing the value to be written to the current storagecell: {right arrow over (S)}′=q({right arrow over (R)}₁, . . . ,{rightarrow over (R)}_(m),{right arrow over(P)}_({right arrow over (C)}),{right arrow over(S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow over(D)}); I. computing the register transition mapping: ({right arrow over(R)}_(j) ₁ , . . . ,{right arrow over (R)}_(j) _(k) )=h({right arrowover (R)}₁, . . . ,{right arrow over (R)}_(m),{right arrow over(P)}_({right arrow over (C)}),{right arrow over(S)}_({right arrow over (D)}),{right arrow over (C)},{right arrow over(D)}) where j₁, . . . ,j_(k) specify the registers which the registermachine may change; J. setting {right arrow over(S)}_({right arrow over (D)})={right arrow over (S)}′, {right arrow over(C)}={right arrow over (C)}′, and {right arrow over (D)}={right arrowover (D)}′; K. computing {right arrow over (P)}_({right arrow over (C)})and {right arrow over (S)}_({right arrow over (D)}); L. reading, by T,from the readable register of M; M. writing, by T, a new cell value tostorage; N. reading, by T, from a second readable register of M itsdirection of movement; O. moving the finite control of T one of left,right, and not at all; P. checking by O to see if a halting conditionhas occurred; and Q. repeating steps (C)-(P).
 52. A method ofsymbolically composing f:Z_(N) ^(m)→Z_(N) ^(d) with h₁, . . . ,h_(k):Z_(N) ^(d) ^(i) →Z_(N) ^(c) ^(i) , producing the mappingf(h₁(x_(e(1,1)), . . . ,x_(e(1,d) ₁ ), . . . ,x_(e(k,d) _(k)) )),${\sum\limits_{i = 1}^{k}c_{i}} = m$ comprising the steps of: A.acquiring a specification of index selections e(1,1), . . . , e(1, d₁),. . . , e(k,1), . . . , e(k,d_(k)) deciding how variables are used inthe composition; B. initializing a vector (a₁, . . . ,a_(m)) to (0, . .. ,0); C. performing, for every i from 0 to N^(m)−1
 1. For every j fromk to 1 compute h_(j)(a_(e(j,1)), . . . ,a_(e(j,d) _(j) ₎) do: a. settingt_(fh)(a₁, . . . , a_(m))=f (h₁, . . . , h_(k)); b. increment avectorized index (a₁, . . . ,a_(m)).
 53. A method of symbolicallycomposing h₁, . . . , h_(k) with f producing the mapping(h₁(f_(e′(1,1))(x₁, . . . ,x_(m)), . . . ,f_(e′(1,c) ₁ ₎(x₁, . . .,x_(m)),x_(e(1,1)), . . . ,x_(e(1,d) ₁ ₎), . . . , h_(k)(f_(e′(k,1))(x₁,. . . ,x_(m)), . . . ,f_(e′(k,c) _(k) ₎(x_(e(k,1)), . . . ,x_(e(k,d)_(k) ₎)), comprising the steps of: A. acquiring a specification of indexselections e′(1,1), . . . , e′(1,c _(i) ), . . . , e′(k,1), . . . ,e′(k,c_(k)) deciding how mapping components are used in the composition; B.acquiring a specification of index selections e(1,1), . . . ,e(1, d₁), .. . ,e(k,1), . . . ,e(k, d_(k)) deciding how variables are used; C.setting a vector (a₁, . . . ,a_(m)) to (0, . . . ,0); D. For every ifrom 0 to N^(m)−1 do:
 1. For every j from k to 1 computeh_(j)(f_(e′(j,1)), . . . ,f_(e′(j,c) _(j) ₎,x_(e(j,1)), . . . ,x_(e(j,d) _(j) ₎); a. Setting t_(hf)(a₁, . . . ,a_(m))=(h₁, . . .,h_(k)). b. Increment the vectorized index (a₁, . . . ,a_(m)).
 54. Amethod of specifying a pattern of parametrized encryption ofmultivariate mappings with other multivariate mappings comprising thesteps of: A. selecting a number of mapping components c_(i) to begrouped together, c_(i)≧1, for all l successive groups of components,covering all components in a mapping only once; B. selecting a number ofvariables c_(i) to be grouped together, c_(i)≧1, for all k−l successivegroups of variables, covering all variables in a mapping only once; C.selecting a group of variables g_(i), l<g_(i)≦k, to be used as“parameter”, or explicitly selecting no such “parameter” for all ksuccessive groups of components and variables; D. selecting groups ofmapping components to be encrypted; E. selecting groups of variables tobe used in encrypted form; and F. selecting equality restrictions to beplaced on components in the key quadruples.
 55. A method of generatingkeys for parametrized multivariate encryption of multivariate mappings,comprising the steps of: A. determining an appropriate representationfor the keys; B. defining for an i^(th) key quadruple that is to doparametrized encryption/decryption two temporary N^(c) ^(i) ^(+c) ^(gi)×(c_(i)+1) arrays R and S; C. defining for an i^(th) key quadruple thatis to do non-parametrized encryption/decryption two temporary N^(c) ^(i)×(c_(i)+1) arrays R and S; D. repeating steps (A)-(C) for all iquadruples; E. defining a temporary polynomial f to translate frombase-N vectors to base-N^(c) ^(i) with c_(i) components; F. permuting aring Z_(N) _(c) ^(i) , and simultaneously translating the permutationand its inverse to the field Z^(c) ^(i) _(N); G. repeating step (F) inall N^(c) ^(gi) times while recording data, for key quadruples that areto do parametrized encryption/decryption; and H. repeating steps (E)-(G)of generating permutations for every key quadruple.
 56. The method asclaimed in claim 55, wherein the mappings to be encrypted are expressedusing polynomials, further comprising the step of computing encryptionand decryption mappings by interpolation, using at least a portion of Rand S as interpolation data and using a_(i)(x), once for each unique keyquadruple that is to be generated.
 57. The method as claimed in claim55, further comprising the step of restricting a new set of keyquadruples according to a pattern used for encryption.
 58. The method asclaimed in claim 55, further comprising the step of setting all keyquadruples that are to do neither encryption nor decryption to theidentity mapping.
 59. A method of encrypting multivariate mappings withparametrized multivariate mappings, comprising the steps of: A.determining appropriate mapping representation for the encryption; B.symbolically substituting each group of variables {right arrow over(w)}_(i−l) to be decrypted in a parametrized manner with s_(i)({rightarrow over (w)}_(i−l), {right arrow over (w)}_(g) _(i) _(−l)); C.symbolically substituting each group of variables {right arrow over(w)}_(i−l) to be decrypted in a non-parametrized manner withs_(i)({right arrow over (w)}_(i−l)); D. symbolically composing eachgroup of mapping components {right arrow over (v)}_(i) to be encryptedin a parametrized manner with r_(i)({right arrow over (v)}_(i), {rightarrow over (w)}_(g) _(i) _(−l)); and E. symbolically composing eachgroup of mapping components {right arrow over (v)}_(i) to be encryptedin a non-parametrized manner with r_(i)({right arrow over (v)}_(i)). 60.A method of specifying an encryption pattern for parametrized encryptionof a register machine, comprising the steps of: A. defining a pattern ofparametrized encryption; B. setting all c_(i)=d for a mapping doingcomputations of the register machine; C. marking at least one registeraffected by a register transition mapping as plaintext registers; D.marking a next instruction pointer and next storage pointer mappings asplaintext mappings; E. marking key quadruples for the marked registersas not to be encrypted/decrypted; F. marking the register transitionmapping for non-parametric encryption; G. marking the storage cellmapping q for parametric encryption; and H. marking at least one “cell”in the storage space as plaintext “cells”.
 61. A method of keygeneration for parametrically encrypting a register machine, comprisingthe steps of: A. determining a representation for keys; B. defining, fora key quadruple that is to do parametrized encryption/decryption onstorage cells, two temporary N^(d+d)×(d+1) arrays R and S; C. definingfor an i^(th) key quadruple that is to do non-parametrizedencryption/decryption on register variables two temporary N^(d)×(d+1)arrays R and S; D. defining a temporary polynomial to translate frombase N^(d) to base-N vectors with d components; E. permuting a ringZ_(N) _(d) , and simultaneously translating the permutation and itsinverse to a field Z_(N) ^(d); F. setting the permutations to theidentity mapping for the cells in the storage mapping marked asunencrypted; G. repeating step (F) in all N^(d) times, except for cellsin the storage mapping marked as unencrypted, while recording data, forthe key quadruples that are to do parametrized encryption/decryption onthe storage mapping; H. permuting the ring Z_(N) _(d) , andsimultaneously translating the permutation and its inverse to the fieldZ_(N) ^(d); and I. repeating the permuting step (H) for every keyquadruple that is to encrypt a register transition mapping.
 62. Themethod as claimed in claim 61, wherein mappings are represented usingpolynomials, further comprising the step of: computing i^(th) encryptionand decryption mappings using in all 2d polynomial interpolations usingR and S and a base-translation function f for all i quadruples.
 63. Themethod as claimed in claim 60, further comprising: determining anappropriate representation for an encryption of the register machine;and encrypting the register machine.
 64. The method as claimed in claim61, further comprising the step of acquiring an set of key quadruplesfor use compositions.
 65. The method as claimed in claim 10, wherein thesteps (A)-(E) are performed by a computer.
 66. The method as claimed inclaim 13, wherein the steps (A)-(D) are performed by a computer.
 67. Themethod as claimed in claim 14, wherein the steps (A)-(F) are performedby a computer.